Monthly Security Patching for Fully-Managed Windows 2012+ servers - July 12, 2022
Posted by David Cunningham on 12 July 2022 08:13 PM
Purpose of Work:|
Patch Tuesday has rolled around, and The volume of fixes is a bit lower than July of last year, and there are no early reports of issues caused by this round of patches. Of the 87 fixes released in this batch, only two are reported as utilized in active attacks (and one of which is for Microsoft Edge).
While there's also no patched vulnerabilities marked as publicly disclosed other than these two, it's worth noting that there's plenty of Windows bugs that have been publicly disclosed this month not included in the patching cycle, so we'll be keeping an eye out for out of band windows patches.
To start off with the one actively targeted windows vulnerability: this one is an Elevation of Privilege vulnerability leveraging the CSRSS component, and affecting all supported versions of Windows and Windows server ... and likely a few unsupported ones ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047 ). Microsoft is sparse on the details for this one, but complexity and privileges required are low, so if paired with any kind of remote code execution able to interact with CSRSS (likely including compromised websites), it can be easily used to elevate that code to running as system, as is evidenced by the active attack status. I recommend you patch this one quickly, if you're running any application that
Next up, we have a Tampering vulnerability leveraging the 'Server' service (aka, SMB) that affects Windows server 20H2 and 2022 ( or, Windows 10 20H2 and up) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30216 . Tampering vulnerabilities are pretty flexible in their potential impact ( they can be used to elevate, execute code, or disclose information). That said, this one does seem to require some level of authentication despite having a network vector, so I'd treat it like an Elevation vulnerabilty.
Third on the list, there's a Remote Code Execution vulnerability leveraging the RPC service, affecting Windows Server 2012 and up (or, Windows 8 and up): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038 . This one is fairly alarming, with all code run using it being automatically elevated, a network vector, and no user interaction or authentication required. The only thing potentially stopping it from being a wormable threat, is that the complexity is marked 'high', with the following note provided by MS: "Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data."
Forth on the list, there's an Elevation of Privilege vulnerability leveraging IIS server, affecting all supported versions of Windows: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30209 . This one's a bit odd: it's listed as requiring no privileges, and it seems to imply that while you can bypass authentication to get privileged information from the server service, you can't disrupt the service, sounding a bit more like information disclosure than elevation of privilege. There's also the note that successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.
That's it for the highlights this month, though as usual, there are plenty of other vulnerabilities (including some more Elevation of Privilege affecting the Printer Spooler service, and more Windows Network File System Remote Code execution vulnerabilities, for the small percentage of users running that).
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Hypervisors in DR scenarios will be updated one hour early, as they are not running active workloads.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.