RSS Feed
News
Aug
9

Purpose of Work:

August's Patch Tuesday has arrived, and it's certainly not a slow one.  There are 121 vulnerabilities being patched this month, compared to 44 in August 2021, and 120 in August 2020.  This makes this month's Patch Tuesday the 2nd most dense month of patching this year, just behind April.  Preliminary reports from early adopters indicate no apparent widespread issues despite Microsoft's heavy patching workload this month, but we'll be sure to roll things out later in the day, and keep an eye out in various external channels and our test environments, in case that changes.

Of these 121 vulnerabilities, two are listed as publicly known, one of those two is under active exploitation, and the exploited vulnerability isn't wormable... so, while the amount of overall vulnerabilities is high (and there are some standouts, as usual), the urgency is about average.

Kicking off the highlights, I'll start with the vulnerability that's already being exploited: a Local Code Execution vulnerability leveraging the Microsoft Windows Support Diagnostic Tool, and affecting all supported versions of Windows and Windows Server ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34713 ).  While the vulnerability is listed as a 'remote code execution', the CVSS summary makes it clear the vector is local.  Similar to previous MSDT vulnerabilities, however, the code execution can be invoked by an MSDT URL called by any MSDT-aware application, such as Microsoft Word, meaning social engineering and malicious emails are possible 'remote' methods of exploiting this local vector via user interaction.  Those with a lot of end users to look after (such as in VDI or RDS environments) will want to patch this ASAP.

Second on the list is a trio of Elevation of Privilege vulnerabilities, all affecting every supported version of Exchange Server ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24477 , https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24516 , https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21980 ).  Of the 3 in that group, CVE-2022-30134 is publicly disclosed.  There's not a clear picture of how these vulnerabilities work from any authoritative sources, but the fact that it requires administrators patching against it enable Extended Protection ( https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/ ) implies it's some kind of authentication bypass or MITM attack.  User interaction is listed as required on the CVSS breakdown, so my guess would be the latter.

Third up, we have yet another Remote Code Execution vulnerability leveraging SMB client / Server, and (curiously) only affecting Windows 11 x64 and Arm64 ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35804 ).  If this vulnerability affected more versions of Windows or Windows server, it'd be of great concern, since it's definitely a wormable vulnerability.  However, it doesn't... so, I have to assume this is specific to some bleeding edge implementation of SMBv3 compression, based on the CVE summary from MSRC.  Windows 11 users should apply patches ASAP, of course.

Fourth on the list, we have an RCE vulnerability leveraging Hyper-V Server on Windows Server 2012 R2 / Windows 10 and newer ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34696 ).  As is the case with most RCE leveraging Hyper-V, the vector can be a VM on a Hyper-V server, which then sends its payload up the stack to change scope and execute on the Hyper-V server itself.  As is also typical of these vulnerabilities, the complexity is listed as 'high', and a race condition must be met for it to work, meaning even if executed perfectly, probability still plays a role in successful exploitation.

Fifth on the list, there's a Denial of Service vulnerability leveraging Outlook Client, and affecting all supported versions of Outlook ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35742 ).  This one isn't a showstopper like many vulnerabilities, but it's got the potential to really annoy some end users just trying to use their mail.  Any email crafted to carry a payload that can exploit this vulnerability will cause outlook to crash, then fail to launch.  No amount of cache clearing will help: you'll have to identify and delete the malicious email to get outlook to start, even if it's never opened.  Naturally, patching is preferable to having to do that for a number of users, for those with a lot of end users to look after (VDI or RDS workloads).

Finally, there's more patching against Elevation of Privilege vulnerabilities leveraging Active Directory Certificate Services in all support versions of Windows Server ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691 ).  This appears to mention the same hardening measures that were initially rolled out in May 2022, but it's not listed as a revision, nor are these hardening measures being made mandator yet, so we'll be conducting more reviews to see exactly what's being done here.  That said, compatibility mode (mentioned here: https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 ) seems to still be in effect.

That's all for the highlights, but as usual, there's plenty more where that came from, all reviewable at https://msrc.microsoft.com/update-guide with the proper filtering.


Impact of Work:


All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 10:45PM, with some exceptions.

Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.  Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle.  If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.  


Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters.  Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.

Hypervisors in DR scenarios will be updated one hour early, as they are not running active workloads.

Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.


Please contact us with any questions / comments / concerns.


Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).