Microsoft’s vulnerability hunters presented a fresh catch: 64 vulnerabilities in various products and services, five of which are critical. Two vulnerabilities were publicly disclosed before the patch was released (which technically makes them zero-days), and one is actively exploited by some attackers. As usual, we recommend installing updates with no delays. In the meantime, we will briefly talk about those vulnerabilities that deserve special attention.
CVE-2022-37969, actively exploited by attackers
CVE-2022-37969 is a zero-day vulnerability in the Common Log File System driver. This is not the most dangerous bug of those that were closed by the latest update (CVSS rating is only 7.8) — in order to take advantage of it, attackers need to somehow gain access to the victim’s computer. However, successful exploitation will allow them to elevate their privileges to SYSTEM. According to Microsoft some attackers already use the exploit for this vulnerability in the wild, therefore it should be patched as soon as possible.
All five newly fixed critical vulnerabilities belong to the remote code execution (RCE) class, that is, they can be used to run arbitrary code on victim computers.
- CVE-2022-34718 — a bug in Windows TCP/IP with a CVSS rating of 9.8. An unauthorized attacker can use it to execute arbitrary code on the attacked Windows computer with the IPSec service enabled by sending a specially crafted IPv6 packet to it.
- CVE-2022-34721 and CVE-2022-34722 — vulnerabilities in the Internet Key Exchange protocol that allow an attacker to execute malicious code by also sending an IP packet to a vulnerable machine. Both have a CVSS rating of 9.8. Although these vulnerabilities only affect the IKEv1 protocol version, Microsoft reminds that all Windows Server systems are vulnerable because they accept both v1 and v2 packets.
- CVE-2022-34700 and CVE-2022-35805 — a pair of vulnerabilities in Microsoft Dynamics customer relationship management (CRM) software. Their exploitation allows an authenticated user to execute arbitrary SQL commands, after which the attacker can elevate their rights and execute commands inside the Dynamics 365 database with db_owner rights. Since an attacker still needs to somehow authenticate, the CVSS ratings of these vulnerabilities are slightly lower (8.8), but they are still considered critical.
A vulnerability relevant to ARM processors — CVE-2022-23960
CVE-2022-23960 is the second vulnerability that was publicly disclosed before the patch. Theoretically, this means that attackers could start using it before it was patched, but it doesn’t look to be the case. In fact, CVE-2022-23960 is yet another variation of the Specter vulnerability, that interferes with processor’s speculative execution of instructions mechanism. In other words, the probability of its use for real attacks is extremely small — the danger is rather theoretical. What’s more, this vulnerability is only relevant for OC Windows 11 for ARM64-based systems which makes exploitation even less practical.
There are surprisingly few non-dangerous vulnerabilities in the September Patch Tuesday update — only one has a low severity rating and another one has a medium rating. The remaining 57, although not as dangerous as the five aforementioned critical ones, still belong to the “important” category. Therefore, as we already recommended in the beginning of the post, it’s better to update without delay.
How to stay safe
First of all, you should fix the already patched vulnerabilities. In addition, we recommend protecting all computers and servers connected to the Internet with security solutions equipped with technologies for vulnerability detection and exploit prevention. This will help to defend your company against both known and yet unknown vulnerabilities.