🔒
There are new articles available, click to refresh the page.
Before yesterdayZero Day Initiative - Blog

The July 2021 Security Update Review

13 July 2021 at 17:24

The second Tuesday of the month is here, and it brings with it the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for July 2021

For July, Adobe released five patches addressing 29 CVEs in Adobe Dimension, Illustrator, Framemaker, Acrobat and Reader, and Adobe Bridge. A total of 15 of these bugs were reported through the ZDI program with several being discovered by ZDI researchers Mat Powell and Joshua Smith. The update for update Acrobat and Reader fixes 19 different bugs – several of which could lead to code execution if an attacker can convince a user to open a malicious PDF with an affected version. The update for Dimension also could allow code execution. For Illustrator, three bugs are being fixed. The two that allow for code execution occur in during the processing of PDF and JPEG2000 files. These issues result from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Similar Out-Of-Bounds (OOB) Write bugs exist in the five fixes for Bridge. Again, code execution would occur at the level of the logged-on user. The single CVE fixed by the Framemaker patch corrects an OOB Write that exists within the parsing of TrueType fonts embedded in PDF files.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for July 2021

For July, Microsoft released patches for 117 CVEs in Microsoft Windows, Dynamics, Exchange Server, Microsoft Office, Windows Storage Spaces Controller, Bing, SharePoint Server, Internet Explorer (IE), Visual Studio, and OpenEnclave. A total of 17 of these bugs were reported through the ZDI program. Of these 117 bugs, 13 are rated Critical, 103 are rated Important, and one is rated as Moderate in severity. This volume of fixes is more than the last two months combined and on par with the monthly totals from 2020. Perhaps the lowered rate seen in the prior months was an aberration. According to Microsoft, six of these bugs are publicly known and four are listed as under active attack at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with a bug that’s already received a lot of (warranted) attention:

-       CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability
Much has already been written about this currently exploited bug also known as PrintNightmare. Microsoft released an Out-of-Band (OOB) patch for this bug on July 1, and they have updated it multiple times since then. There have been reports the patch is ineffective, but Microsoft insists it works – provided certain registry keys have the correct values. Enterprises should verify these registry keys are configured as intended and get this patch rolled out. It’s also a fine time to disable the Print Spooler service wherever it isn’t needed and restrict the installation of printer drivers to just administrators.

-       CVE-2021-34448 - Scripting Engine Memory Corruption Vulnerability
This bug is also listed as under active exploit, but there’s no indication of how widespread the attack is. The vulnerability allows an attacker to execute their code on an affected system if a user browses to a specially crafted website. The code execution would occur at the logged-on user level. This is also a case where CVSS doesn’t quite offer a true glimpse of the threat. Microsoft lists the attack complexity as high, which knocks this from a high severity (>8) to a medium severity (6.8). However, if there are already active attacks, does complexity matter? Regardless, treat this as critical since it could allow code execution on every supported version of Windows.

-       CVE-2021-34494 - Windows DNS Server Remote Code Execution Vulnerability
This bug is currently not under active attack, but considering the severity, there are those who will work to change that status. This bug could allow remote code execution at a privileged service level on a listening network port without user interaction. Microsoft does mention low privileges are needed, but depending on the server configuration, these could be easily gained. This bug is restricted to DNS Servers only, but if there’s one system you don’t want wormed, it’s probably your DNS server. Definitely test and deploy this one quickly.

-       CVE-2021-34458 - Windows Kernel Remote Code Execution Vulnerability
It’s rare to see remote code execution in a kernel bug, but this is that rare exception. This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices. It’s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it’s not one to ignore. If you have virtual machines in your environment, test and patch quickly.

Here’s the full list of CVEs released by Microsoft for July 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability Critical 8.8 Yes Yes RCE
CVE-2021-34448 Scripting Engine Memory Corruption Vulnerability Critical 6.8 No Yes RCE
CVE-2021-31979 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-33771 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 Yes No RCE
CVE-2021-33781 Active Directory Security Feature Bypass Vulnerability Important 8.1 Yes No SFB
CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 9 Yes No EoP
CVE-2021-33779 Windows ADFS Security Feature Bypass Vulnerability Important 8.1 Yes No SFB
CVE-2021-34492 Windows Certificate Spoofing Vulnerability Important 8.1 Yes No Spoofing
CVE-2021-34474 Dynamics Business Central Remote Code Execution Vulnerability Critical 8 No No RCE
CVE-2021-34464 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34522 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34439 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34503 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34494 Windows DNS Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-34450 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.5 No No RCE
CVE-2021-34458 Windows Kernel Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-33740 Windows Media Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34497 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 6.8 No No RCE
CVE-2021-34476 Bowser.sys Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34489 DirectWrite Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34440 GDI+ Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31947 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33775 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33776 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33777 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33778 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33760 Media Foundation Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-33753 Microsoft Bing Search Spoofing Vulnerability Important 4.7 No No Spoofing
CVE-2021-34501 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34518 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33766 Microsoft Exchange Information Disclosure Vulnerability Important 7.3 No No Info
CVE-2021-33768 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-34470 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-31196 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-31206 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-34451 Microsoft Office Online Server Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2021-34469 Microsoft Office Security Feature Bypass Vulnerability Important 8.2 No No SFB
CVE-2021-34467 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-34468 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-34520 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-34517 Microsoft SharePoint Server Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2021-34479 Microsoft Visual Studio Spoofing Vulnerability Important 7.8 No No Spoofing
CVE-2021-34441 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34452 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33767 Open Enclave SDK Elevation of Privilege Vulnerability Important 8.2 No No EoP
CVE-2021-31984 Power BI Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-34521 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33751 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34460 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34510 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34512 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34513 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34509 Storage Spaces Controller Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34477 Visual Studio Code .NET Runtime Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34528 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34529 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34449 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34516 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34491 Win32k Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34504 Windows Address Book Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33785 Windows AF_UNIX Socket Provider Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34459 Windows AppContainer Elevation Of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34462 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-33782 Windows Authenticode Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-33784 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34488 Windows Console Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34461 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33759 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33745 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-34442 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34444 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-34499 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-33746 Windows DNS Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2021-33754 Windows DNS Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2021-33780 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-34525 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33749 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33750 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33752 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33756 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33774 Windows Event Tracing Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34455 Windows File History Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34438 Windows Font Driver Host Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34498 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34496 Windows GDI Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34466 Windows Hello Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-34446 Windows HTML Platform Security Feature Bypass Vulnerability Important 8 No No SFB
CVE-2021-33755 Windows Hyper-V Denial of Service Vulnerability Important 6.3 No No DoS
CVE-2021-33758 Windows Hyper-V Denial of Service Vulnerability Important 7.7 No No DoS
CVE-2021-34511 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33765 Windows Installer Spoofing Vulnerability Important 6.2 No No Spoofing
CVE-2021-31961 Windows InstallService Elevation of Privilege Vulnerability Important 6.1 No No EoP
CVE-2021-34514 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34500 Windows Kernel Memory Information Disclosure Vulnerability Important 6.3 No No Info
CVE-2021-34508 Windows Kernel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33764 Windows Key Distribution Center Information Disclosure Vulnerability Important 5.9 No No Info
CVE-2021-33788 Windows LSA Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-33786 Windows LSA Security Feature Bypass Vulnerability Important 8.1 No No SFB
CVE-2021-34447 Windows MSHTML Platform Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2021-34493 Windows Partition Management Driver Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2021-33743 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33761 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33773 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34445 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34456 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33763 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34454 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34457 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34507 Windows Remote Assistance Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-33744 Windows Secure Kernel Mode Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-33757 Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-33783 Windows SMB Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31183 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-33772 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34490 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34519 Microsoft SharePoint Server Information Disclosure Vulnerability Moderate 5.3 No No Info

Looking at the remaining patches, you’ll note seven patches for Exchange Server, but only some of these are actually new. One of the new ones is CVE-2021-31206, which was disclosed during the last Pwn2Own contest. There are also new patches for elevation of privilege bugs that could be exploited in a man-in-the-middle attack or be network adjacent. The real surprise in this month’s Exchange patches are the three bugs patched in April but not documented until today. Silent patches have caused many problems in the past and represent significant risks to enterprises. While the goal should be for administrators to install every patch, this is simply not feasible for most networks. Network defenders need as much information as possible to prioritize their resources. If they are not provided guidance on installing the patch, or information from the vendor on the severity of the patch, their uninformed decision could have negative consequences.

Taking a look at the remaining Critical-rated bugs, there are two updates for Defender code execution bugs, although you likely won’t need to take any action. Microsoft regularly updates the Malware Protection Engine, so if your system is connected to the Internet, it should have already received an update. There are also RCE bugs in Dynamics 365 Business Central, Windows Media Foundation, MSHTML, and Hyper-V.

Moving to the Important-rated RCE bugs, there are quite a few impacting the Windows DNS Server. Most of these would require an administrator to view a malicious record in the DNS Snap-in to be exploited. There are also a few that have no user interaction and require only low-level privileges. Two of the patches fix denial-of-service (DoS) bugs in the server. Shutting DNS down is nearly as severe as taking it over. In all cases, the DNS Server must be enabled for a system to be impacted by these bugs. The Important RCEs category is rounded out by fixes for Office components, SharePoint Server, and HEVC Video Extensions.

There are a total of 32 Elevation of Privilege (EoP) patches in this month’s release. In addition to the ones previously mentioned, six of these fix EoP bugs in the Windows Storage Spaces Controller. There are also fixes for EoP vulnerabilities in the kernel, Remote Access Connection Manager, Installer service, partition management, and projected file system.

We’ve already mentioned quite a few DoS bugs in this release, and there are a few more to look out for. The first is a bug in the Local Security Authority (LSA). Microsoft doesn’t detail the impact of the bug, but a DoS on LSA implies users can’t authenticate. There are three DoS vulnerabilities in the TCP/IP stack. Again, no details from Microsoft, but it appears an attacker could shut down all networking on a device. Finally, there are fixes for DoS bugs in bowser.sys and the Windows AF_UNIX Socket Provider.

There are 14 patches fixing information disclosure bugs this month, including the single Moderate-rated fix for a bug in SharePoint Server. This bug could disclose PII and, in some cases, requires multiple packages to be completely addressed. Most of the other bugs only lead to leaks consisting of unspecified memory contents. Two notable exceptions impact KDC and SMB. The KDC has a weak encryption algorithm that could be used to decrypted and expose information related to a user or service's active session. The SMB bug could allow an attacker unauthorized file system access, meaning they could read files on the affected system.

Eight security feature bypasses are fixed in this month’s release. The patch for ADFS fixes a bug in the Primary Refresh Tokens, which are normally stored in the TPM. The tokens aren’t encrypted properly. Attackers could extract and potentially decrypt the token for reuse until the token expires or is renewed. There’s a bug in LSA that could allow a read-only domain controller (RODC) to delegate rights by granting itself a ticket. This ticket isn’t validated by a domain controller, which could lead to a read-only DC getting Read/Write privileges. A patch for the Security Account Manager adds Advanced Encryption Standard (AES) encryption as the preferred method when using the MS-SAMR protocol. Microsoft will be releasing KB5004605 with additional configuration details in the future. At the time of release, it’s mentioned, but not live yet. Frustratingly, no details are available about the other bypasses, which includes the patches for two publicly known bugs and Windows Hello.

This month’s release is rounded out by seven patches to address spoofing bugs in SharePoint Server, Bing Search, Visual Studio, Office, Authenticode, Installer, and bug that could allow certificate spoofing. In late June, Microsoft reported they were investigating reports regarding a malicious actor trying to leverage the Windows Hardware Compatibility Program (WHCP) process. While they indicated there was no evidence of certificate exposure, it’s possible this patch resulted from that investigation. They do mark the bug as publicly known, but there’s no documentation confirming the link. No details are available about any of the other spoofing patches.

As usual, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows this month. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on August 10, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The July 2021 Security Update Review

The August 2021 Security Update Review

10 August 2021 at 17:22

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for August 2021

For August, Adobe released two patches addressing 29 CVEs in Adobe Connect and Magento. The update for Connect is rated Important and fixes a single security feature bypass and two cross-site scripting bugs. The Critical-rated patch for Magento fixes a wide range of bugs, the worst of which could allow remote code execution.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for August 2021

For August, Microsoft released patches today for 44 CVEs in Microsoft Windows and Windows components, Office, .NET Core and Visual Studio, Windows Defender, Windows Update and Update Assistant, Azure, and Microsoft Dynamics. This is in addition to seven CVEs patched in Microsoft Edge (Chromium-based) earlier this month. A total of eight of these bugs were submitted through the ZDI program. Of the 44 CVEs patched today, seven are rated Critical and 37 are rated Important in severity. This is the smallest release for Microsoft in 2021 and could be due to resource constraints since Microsoft spent so much time in July responding to events like PrintNightmare and PetitPotam. In fact, this is the smallest release since December 2019. It will be interesting to see if the September patch volume rebounds to triple digits or remains on the smaller side.

According to Microsoft, two of these bugs are publicly known and one is listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug that’s listed as under active attack:

-       CVE-2021-36948 - Windows Update Medic Service Elevation of Privilege Vulnerability
This bug could allow a local privilege escalation through the Windows Update Medic Service – a new feature introduced in Windows 10 designed to repair Windows Update components from damage so that the computer can continue to receive updates. An attacker would need to log on to an affected system and run a specially crafted program to escalate privileges. Microsoft does not say how widespread the attacks are, but they are most likely targeted at this point.

-       CVE-2021-36942 - Windows LSA Spoofing Vulnerability
Speaking of PetitPotam, Microsoft released this patch to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface. This will impact some systems, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA function. You should apply this to your Domain Controllers first and follow the additional guidance in ADV210003 and KB5005413. This has been an ongoing issue since 2009, and, likely, this isn’t the last we’ll hear of this persistent issue.

-       CVE-2021-36936 - Windows Print Spooler Remote Code Execution Vulnerability
Another month, another remote code execution bug in the print spooler. This bug is listed as publicly known, but it’s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own. There are quite a few print spooler bugs to keep track of. Either way, attackers can use this to execute code on affected systems. Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this Critical-rated bug.

UPDATE: Microsoft has released KB5005652 to provide guidance on managing new Point and Print default driver installation behavior. This is an update for CVE-2021-34481, which was originally released in July, 2021. Sysadmins should review this KB along with applying the Print Spooler related updates in this release.

-       CVE-2021-34535 - Remote Desktop Client Remote Code Execution Vulnerability
Before you start having flashbacks to BlueKeep, this bug affects the RDP client and not the RDP server. However, the CVSS 9.9 bug is nothing to ignore. An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario and the reason you should test and deploy this patch quickly.

Here’s the full list of CVEs released by Microsoft for August 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-36948 Windows Update Medic Service Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-36936 Windows Print Spooler Remote Code Execution Vulnerability Critical 8.8 Yes No RCE
CVE-2021-36942 Windows LSA Spoofing Vulnerability Important 9.8 Yes No Spoofing
CVE-2021-34535 Remote Desktop Client Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-34480 Scripting Engine Memory Corruption Vulnerability Critical 6.8 No No RCE
CVE-2021-34530 Windows Graphics Component Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34534 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 6.8 No No RCE
CVE-2021-26432 Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-26424 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-26423 .NET Core and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34485 .NET Core and Visual Studio Information Disclosure Vulnerability Important 5 No No Info
CVE-2021-34532 ASP.NET Core and Visual Studio Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-33762 Azure CycleCloud Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-36943 Azure CycleCloud Elevation of Privilege Vulnerability Important 4 No No EoP
CVE-2021-26430 Azure Sphere Denial of Service Vulnerability Important 6 No No DoS
CVE-2021-26429 Azure Sphere Elevation of Privilege Vulnerability Important 7.7 No No EoP
CVE-2021-26428 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2021-36949 Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability Important 7.1 No No SFB
CVE-2021-36950 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2021-34524 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-36946 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2021-34478 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-36940 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-34471 Microsoft Windows Defender Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36941 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34536 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36945 Windows 10 Update Assistant Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2021-34537 Windows Bluetooth Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36938 Windows Cryptographic Primitives Library Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-36927 Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26425 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34486 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34487 Windows Event Tracing Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34533 Windows Graphics Component Font Parsing Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-36937 Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34483 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36947 Windows Print Spooler Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-26431 Windows Recovery Environment Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26433 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36926 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36932 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36933 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-26426 Windows User Account Profile Picture Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34484 Windows User Profile Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-30590 Chromium: CVE-2021-30590 Heap buffer overflow in Bookmarks High N/A No No RCE
CVE-2021-30591 Chromium: CVE-2021-30591 Use after free in File System API High N/A No No RCE
CVE-2021-30592 Chromium: CVE-2021-30592 Out of bounds write in Tab Groups High N/A No No RCE
CVE-2021-30593 Chromium: CVE-2021-30593 Out of bounds read in Tab Strip High N/A No No Info
CVE-2021-30594 Chromium: CVE-2021-30594 Use after free in Page Info UI High N/A No No RCE
CVE-2021-30596 Chromium: CVE-2021-30596 Incorrect security UI in Navigation Medium N/A No No SFB
CVE-2021-30597 Chromium: CVE-2021-30597 Use after free in Browser UI Medium N/A No No RCE

You’ll notice this month’s table includes the Chromium updates for Edge. These vulnerabilities are listed with the severity as assigned by Google, which is different from the standard Microsoft nomenclature. Google does not assign a CVSS score, so none is listed in the table.

Looking at the remaining Critical-rated updates, most are of the browse-and-own variety, meaning an attacker would need to convince a user to browse to a specially crafted website with an affected system. One exception would be CVE-2021-26432, which is a patch for the Windows Services for NFS ONCRPC XDR Driver. Microsoft provides no information on how the CVSS 9.8 rated vulnerability could be exploited, but it does note  it needs neither privileges or user interaction to be exploited. This may fall into the “wormable” category, at least between servers with NFS installed, especially since the open network computing remote procedure call (ONCRPC) consists of an External Data Representation (XDR) runtime built on the Winsock Kernel (WSK) interface. That certainly sounds like elevated code on a listening network service. Don’t ignore this patch.

Another interesting Critical-rated bug affects the TCP/IP stack. Despite its CVSS rating of 9.9, this may prove to be a trivial bug, but it’s still fascinating. An attacker on a guest Hyper-V OS could execute code on the host Hyper-V server by sending a specially crafted IPv6 ping. This keeps it out of the wormable category. Still, a successful attack would allow the guest OS to completely take over the Hyper-V host. While not wormable, it’s still cool to see new bugs in new scenarios being found in protocols that have been around for years.

The remaining patches for RCE bugs primarily address open-and-own types of bugs in Microsoft Dynamics (on-prem), Office, Word, and Windows media components. For example, the vulnerability in Word would require someone to open a specially crafted Word doc with an affected version, resulting in code execution at the logged-on user lever. There’s also an Important-rated RCE bug in the print spooler, however, it’s not clear why this one is rated Important while the other is rated Critical. Both have the exact same CVSS rating. One is publicly known, but that shouldn’t affect severity. Best to treat both print spooler bugs as Critical, just to be on the safe side. 

There are a total of 16 Elevation of Privilege (EoP) patches in this month’s release. Most of these exist in Windows components and require an attacker to log on to an affected system and execute their specially crafted program. Six of these bugs were reported through the ZDI program by Abdelhamid Naceri (halov) and deal with improper link resolution before file access (Link Following) vulnerabilities. For example, by creating a directory junction, an attacker can abuse the Windows Update Assistant to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the Administrator. Altogether, there are EoP fixes for Windows Defender, Azure Sphere and CycleCloud, Storage Spaces, the Update Assistant, the Bluetooth service, Windows Event Tracing, and the aforementioned Print Spooler.

Looking at the eight information disclosure bugs in this month’s release, more simply result in leaks consisting of unspecified memory contents. A notable exception is the patch for .NET Core and Visual Studio that could disclose data inside the targeted website like IDs, tokens, nonces, and other sensitive information. Microsoft does not specify what information is disclosed by the bug in the Windows Cryptographic Primitives Library, but judging by the title alone, it’s possible (though unlikely) that an attacker could recover plaintext data from encrypted content. Let’s hope we receive more information on this bug in the future.

Only two patches this month result in Denial-of-Service (DoS) conditions, but you likely only need to act on one. The update for Azure Sphere should have been automatically delivered to your device provided it is connected to the Internet. The other patch fixes a DoS bug in .NET Core and Visual Studio and needs to be installed as per usual.

There are also just two security feature bypasses getting fixes this month. The first is for Azure Active Directory Connect, but you’ll need to do more than just patch to prevent a Man-in-The-Middle (MiTM) attack between your Azure AD Connect server and a domain controller. You will also need to disable NTLM as laid out in this document. The other spoofing bug occurs in SharePoint Server and likely manifests as a cross-site scripting (XSS) issue. Speaking of XSS bugs, this month’s release is rounded out by two patches for XSS vulnerabilities in Microsoft Dynamics.

As expected, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows this month. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on September 14, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The August 2021 Security Update Review

The September 2021 Security Update Review

14 September 2021 at 17:37

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Apple and Google Chrome also released updates yesterday to fix bugs under active attack. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for September 2021

For September, Adobe released 15 patches covering 59 CVEs in Adobe Acrobat Reader, XMP Toolkit SDK, Photoshop, Experience Manager, Genuine Service, Digital Editions, Premiere Elements, Photoshop Elements, Creative Cloud Desktop, ColdFusion, Framemaker, InDesign, SVG-Native-Viewer, InCopy, and Premiere Pro. A total of 17 of these bugs came through the ZDI program.

The update for Adobe Acrobat fixes 26 bugs in total. Of these 26 bugs, 13 are rated Critical, 9 are rated Important, and four are rated Moderate in severity. The most severe of these bugs could allow remote code execution through either a type confusion, heap-based buffer overflow, or a use after free vulnerability. The single bug fixed by the Photoshop patch could also lead to code execution when opening a specially crafted file. The update for Framemaker includes five bugs found by ZDI researcher Mat Powell. The most severe of these issues result from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. If you’re still using ColdFusion, you’ll definitely want to patch the two Critical rated security feature bypass bugs being fixed today.

You can check out all of Adobe’s patches on their PSIRT page. None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Apple Patches for September 2021

Although Apple does not follow the second Tuesday patch release cycle, they did release patches yesterday fixing a couple of significant bugs. CVE-2021-30860 fixes an input validation bug in CoreGraphics that could allow remote code execution. Apple notes they are aware of a report this bug is being actively exploited. This was reported by the Citizen Lab, and public accounts indicate this bug was used to target a Saudi activist’s iPhone. While the likelihood of widespread attack using this bug is low, it should still be taken seriously. Apple also notes CVE-2021-30858 – a Use-After-Free (UAF) bug in Webkit – has also been detected in the wild. These bugs impact several different Apple products, including iOS, iPad OS, watchOS, Safari, Catalina, and Big Sur. Definitely take some time to review all of the patches and apply the applicable updates once tested.

Google Chrome Patches for September 2021

Not to be outdone by Apple, Google also released a new version of Chrome yesterday to address a total of nine CVEs – two of which are listed as under active attack. CVE-2021-30632 fixes an Out-of-Bounds (OOB) Write, while CVE-2021-30633 fixes a UAF bug. Both were reported by an anonymous researcher, and both could lead to code execution at the level of the logged-on user. All of the bugs fixed in this release receive a “High” severity rating from Google. If you are running Chrome, definitely update to ensure you are on the latest stable version.

Side note: As of today, not all these fixes have not been absorbed by Microsoft Edge (Chromium) and are unrelated to the Edge (Chromium) fixes discussed below. Microsoft did list CVE-2021-30632 on September 11 but appears to have jumped the gun a bit on this release as it currently shows a September 14 release date.

Microsoft Patches for September 2021

For September, Microsoft released patches today for 66 CVEs in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS, and the Windows Subsystem for Linux. This is in addition to the 20 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the September total to 86 CVEs. A total of 11 of these bugs were submitted through the ZDI program.

Of the 66 new CVEs patched today, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This volume is slightly higher than the average for 2021, which is below the 2020 volume while still above what was seen in 2019. As with last month, Microsoft spent significant resources responding to bugs under active attack, most notably CVE-2021-40444. One other bug is listed as publicly known but not being exploited (for now).

Let’s take a closer look at some of the more interesting updates for this month, starting with the MSHTML bug that’s listed as under active attack:

-       CVE-2021-40444 - Microsoft MSHTML Remote Code Execution Vulnerability
This patch fixes a bug currently being exploited via Office documents. A specially crafted ActiveX control is embedded in an Office doc then sent to a target. If opened on an affected system, code executes at the level of the logged-on user. Microsoft lists disabling ActiveX as a workaround, but other reports state this may be ineffective. As of now, the most effective defense is to apply the patch and avoid Office docs you aren’t expecting to receive. There are multiple updates for specific platforms, so be sure to carefully review and install all needed patches to ensure you are covered.  

-       CVE-2021-36965 - Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
This patch fixes a vulnerability that could allow network adjacent attackers to run their code on affected systems at SYSTEM level. This means an attacker could completely take over the target – provided they are on an adjacent network. This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network. Still, this requires no privileges or user interaction, so don’t let the adjacent aspect of this bug diminish the severity. Definitely test and deploy this patch quickly.

-       CVE-2021-38647 - Open Management Infrastructure Remote Code Execution Vulnerability
This patch rates the highest CVSS (9.8) for this month and fixes an RCE bug in the Open Management Infrastructure (OMI). If you aren’t familiar with OMI, it’s an open-source project to further the development of a production-quality implementation of the DMTF CIM/WBEM standards. You can read all about it here. This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system. OMI users should test and deploy this one quickly.

Here’s the full list of CVEs released by Microsoft for September 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability Important 8.8 Yes Yes RCE
CVE-2021-36968 Windows DNS Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-38647 Open Management Infrastructure Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-26435 Windows Scripting Engine Memory Corruption Vulnerability Critical 8.1 No No RCE
CVE-2021-36965 Windows WLAN AutoConfig Service Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-36956 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2021-38632 BitLocker Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-38661 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40448 Microsoft Accessibility Insights for Android Information Disclosure Vulnerability Important 6.3 No No Info
CVE-2021-40440 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2021-26436 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.1 No No EoP
CVE-2021-36930 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 5.3 No No EoP
CVE-2021-38669 Microsoft Edge (Chromium-based) Tampering Vulnerability Important 6.4 No No Tampering
CVE-2021-38641 Microsoft Edge for Android Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2021-38642 Microsoft Edge for iOS Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2021-38655 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38644 Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38646 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38657 Microsoft Office Graphics Component Information Disclosure Vulnerability Important 6.1 No No Info
CVE-2021-38658 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38660 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38659 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38650 Microsoft Office Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38653 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38654 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38651 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38652 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38634 Microsoft Windows Update Client Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-38656 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26437 Visual Studio Code Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-26434 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36952 Visual Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-36975 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38639 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38628 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38629 Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-36959 Windows Authenticode Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-36954 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-36963 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36955 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38633 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36964 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38630 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36961 Windows Installer Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-36962 Windows Installer Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38625 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38626 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38624 Windows Key Storage Provider Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2021-38667 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38671 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40447 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36969 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38635 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38636 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-36973 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36974 Windows SMB Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36960 Windows SMB Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36972 Windows SMB Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38637 Windows Storage Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-36966 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36967 Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-26439 Microsoft Edge for Android Information Disclosure Vulnerability Moderate 4.6 No No Info
CVE-2021-30606 Chromium: CVE-2021-30606 Use after free in Blink High N/A No No RCE
CVE-2021-30607 Chromium: CVE-2021-30607 Use after free in Permissions High N/A No No RCE
CVE-2021-30608 Chromium: CVE-2021-30608 Use after free in Web Share High N/A No No RCE
CVE-2021-30609 Chromium: CVE-2021-30609 Use after free in Sign-In High N/A No No RCE
CVE-2021-30610 Chromium: CVE-2021-30610 Use after free in Extensions API High N/A No No RCE
CVE-2021-30632 Chromium: CVE-2021-30632 Out of bounds write in V8 High N/A No Yes RCE
CVE-2021-30623 Chromium: CVE-2021-30623 Use after free in Bookmarks Low N/A No No RCE
CVE-2021-30624 Chromium: CVE-2021-30624 Use after free in Autofill Low N/A No No RCE
CVE-2021-30611 Chromium: CVE-2021-30611 Use after free in WebRTC Medium N/A No No RCE
CVE-2021-30612 Chromium: CVE-2021-30612 Use after free in WebRTC Medium N/A No No RCE
CVE-2021-30613 Chromium: CVE-2021-30613 Use after free in Base internals Medium N/A No No RCE
CVE-2021-30614 Chromium: CVE-2021-30614 Heap buffer overflow in TabStrip Medium N/A No No RCE
CVE-2021-30615 Chromium: CVE-2021-30615 Cross-origin data leak in Navigation Medium N/A No No Info
CVE-2021-30616 Chromium: CVE-2021-30616 Use after free in Media Medium N/A No No RCE
CVE-2021-30617 Chromium: CVE-2021-30617 Policy bypass in Blink Medium N/A No No SFB
CVE-2021-30618 Chromium: CVE-2021-30618 Inappropriate implementation in DevTools Medium N/A No No RCE
CVE-2021-30619 Chromium: CVE-2021-30619 UI Spoofing in Autofill Medium N/A No No Spoofing
CVE-2021-30620 Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink Medium N/A No No SFB
CVE-2021-30621 Chromium: CVE-2021-30621 UI Spoofing in Autofill Medium N/A No No Spoofing
CVE-2021-30622 Chromium: CVE-2021-30622 Use after free in WebApp Installs Medium N/A No No RCE

As we did last month, this month’s table also lists the Chromium updates for Edge. These vulnerabilities are listed with the severity as assigned by Google, which is different from the standard Microsoft nomenclature. Google does not assign CVSS scores, so none are listed in the table. Again, these bugs are different than the ones fixed by Google Chrome in yesterday’s release. Those bugs should be incorporated into a future version of Edge (Chromium).

The remaining Critical-rated bug fixes a code execution vulnerability in the Scripting Engine. An attacker would need to convince a user to browse to a specially crafted website or open a file to get code execution. Looking at the other RCE bugs addressed in this release, many impact Office or an Office component. Visio receives some rare updates to go along with the more common fixes for Word, Access, and Excel.

This month’s release brings a total of 27 Elevation of Privilege (EoP) patches with it. The most notable is one listed as publicly known impacting DNS. Microsoft provides no details about the nature of the bug other than to say local privileges are required to successfully exploit it. This is not to be confused with the patch for an EoP in the Bind Filter Driver, which is completely different from the ISC BIND DNS system. Other notable EoP bugs include updates for Edge (Chromium) that seem unique to Edge – meaning the bugs weren’t from the port of Chromium and patched by Google. Visual Studio receives a patch to fix an EoP reported by ZDI researcher Michael DePlante. The issue results from incorrect permissions set on a resource used by the installer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. There are some patches for the Print Spooler, but these don’t appear to have the impact or urgency as the PrintNightmare series of bugs. The other EoP fixes address various Windows components. In almost all cases, an attacker would need to log on to an affected system and run specially crafted code.

There are only two patches for security feature bypasses (SFBs) in this month’s release, but one seems awfully familiar. CVE-2021-38632 fixes a bug that could allow an attacker with physical access to a powered-off system to gain access to encrypted data. This sounds vaguely like the “cold boot” attacks widely discussed back in 2008. The other SFB bug being fixed this month could allow an attacker to bypass the Windows Key Storage Provider that issues key certificates for trust in attestation scenarios. This one’s a bit more vague, but surprisingly, Microsoft lists the attack complexity as Low for this bug. Definitely something to look out for.

Looking at the 12 information disclosure bugs in this month’s release, more simply result in leaks consisting of unspecified memory contents. A notable exception is a bug in the Windows Installer that could allow an attacker to read from the file system. The Windows Storage component has a bug with a similar impact. It’s not clear if any file can be read by an attacker or just specifical files and locations. The info disclosure being fixed in the Microsoft Accessibility Insights for Android is even more vague. According to Microsoft, the type of info disclosed is “sensitive information.” Well then. Plan accordingly.

The September release includes fixes for seven spoofing bugs and one for a cross-site scripting (XSS) bug. Microsoft provides no details on what may be spoofed for any of these vulnerabilities, but some have intriguing titles. There are fixes for Microsoft Edge for iOS and Android, so for those of you who use Edge on your phone, hit up the appropriate store to update your apps. There is a fix for a spoofing bug in Windows Authenticode, but the attacker vector is listed as local with privileges required. It’s possible this could allow an attacker access to something otherwise prohibited, but without further details, we can only speculate.

This month’s release is rounded out by a fix for a Denial-of-Service (DoS) bug in the Windows Installer and by a fix for Microsoft Edge (Chromium) in the mercurial Tampering category. Again, no information on what sort of tampering this vulnerability would allow. However, tampering bugs in the browser usually means an attacker could view and/or alter data within the browser. Interestingly, Microsoft appears to have released this update on September 9, but it does not appear to map to any bug fix released by the Chrome team.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on October 12, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The September 2021 Security Update Review

The October 2021 Security Update Review

12 October 2021 at 17:28

The second Tuesday of the month is here, and that means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for October 2021

For October, Adobe released six patches covering 10 CVEs in Adobe Reader, Acrobat Reader for Android, Adobe Campaign Standard, Commerce, Ops-CLI, and Adobe Connect. The update for Adobe Acrobat fixes four bugs in total – two rated Critical and two rated Moderate in severity. Two of these bugs were submitted through the ZDI program. The Critical-rated bugs could allow remote code execution while the Moderate-rated bugs could allow a privilege escalation. The update for Reader for Android fixes a single path traversal bug that could lead to code execution. All require some form of user interaction, such as browsing to a web page or opening a PDF.

Several cross-site scripting (XSS) bugs receive patches this month. The patch for Campaign Standard fixes a DOM-based XSS. The fix for Adobe Commerce addresses a stored XSS. The patch for Adobe Connect fixes two bugs, one of which is a reflective XSS. The other bug is more a more severe Critical-rated deserialization vulnerability that could allow remote code execution. The final Adobe patch for October fixes a Critical-rated deserialization bug in Ops-CLI, which is a python wrapper for Terraform, Ansible, and SSH for cloud automation.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for October 2021

For October, Microsoft released patches today for 71 new CVEs in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, .NET Core and Visual Studio, Microsoft Office Services and Web Apps, SharePoint Server, Microsoft Dynamics, InTune, and System Center Operations Manager. This is in addition to the eight CVEs patched by Microsoft Edge (Chromium-based) earlier this month and three previously released OpenSSL patches, which brings the October total to 82 CVEs – slightly down from last month. A total of 11 of these bugs were submitted through the ZDI program.

Of the 71 CVEs patched today, two are rated Critical, 68 are rated Important, and one is rated Low in severity. Three of today’s patches are listed as publicly known, while one is listed as being under active attack at the time of release. This is in addition to two of the Chromium bugs that were listed as under active attack when Chrome patched on September 30. For those wondering, this month does include patches for the recently released Windows 11 operating system.

Let’s take a closer look at some of the more interesting updates for this month, starting with the kernel bug that’s listed as under active attack:

-       CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability
This patch corrected a kernel bug that could be used to escalate privileges on an affected system. Attackers typically use these types of bugs in conjunction with code execution bugs to take over a system. Considering the source of this report, this bug is likely being used in a targeted malware attack. We will also likely see more information about this bug and the associated attack within the next few days.

-       CVE-2021-26427 - Microsoft Exchange Server Remote Code Execution Vulnerability
The bug will certainly receive its fair share of attention, if nothing else, due to it being reported by the National Security Agency (NSA). Due to the similar CVE numbers, this bug was likely reported when they reported the more severe Exchange issues back in April. This bug is not as severe since this exploit is limited at the protocol level to a logically adjacent topology and not reachable from the Internet. This flaw, combined with the other Exchange bugs patched this month, should keep Exchange admins busy for a while.

-       CVE-2021-40486 - Microsoft Word Remote Code Execution Vulnerability
This patch corrects a bug that would allow code execution when a specially crafted Word document is viewed on an affected system. Although Microsoft lists user interaction required, the Preview Pane is also listed as an attack vector. This creates a much larger attack surface. When combined with a privilege escalation – like the one currently under active attack – this could be used to take over a target system. This bug came through the ZDI program and results from the lack of validating the existence of an object before performing operations on the object.

-       CVE-2021-40454 - Rich Text Edit Control Information Disclosure Vulnerability
We don’t often highlight information disclosure bugs, but this vulnerability goes beyond just dumping random memory locations. This bug could allow an attacker to recover cleartext passwords from memory, even on Windows 11. It’s not clear how an attacker would abuse this bug, but if you are using the rich text edit control in Power Apps, definitely test and deploy this bug quickly.

Here’s the full list of CVEs released by Microsoft for October 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-40449 Win32k Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-41338 Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability Important 5.5 Yes No SFB
CVE-2021-40469 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 Yes No RCE
CVE-2021-41335 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-40486 Microsoft Word Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-38672 Windows Hyper-V Remote Code Execution Vulnerability Critical 8 No No RCE
CVE-2021-40461 Windows Hyper-V Remote Code Execution Vulnerability Critical 8 No No RCE
CVE-2021-41355 .NET Core and Visual Studio Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-41361 Active Directory Federation Server Spoofing Vulnerability Important 5.4 No No Spoofing
CVE-2021-41337 Active Directory Security Feature Bypass Vulnerability Important 4.9 No No SFB
CVE-2021-41346 Console Window Host Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-40470 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41363 Intune Management Extension Security Feature Bypass Vulnerability Important 4.2 No No SFB
CVE-2021-41339 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important 4.7 No No EoP
CVE-2021-41354 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 4.1 No No XSS
CVE-2021-40457 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability Important 7.4 No No XSS
CVE-2021-41353 Microsoft Dynamics 365 Sales Spoofing Vulnerability Important 5.4 No No Spoofing
CVE-2021-40472 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-40471 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40473 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40474 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40479 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40485 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34453 Microsoft Exchange Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-41348 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-26427 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2021-41350 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-40480 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40481 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-40482 Microsoft SharePoint Server Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-41344 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-40487 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-40484 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-41330 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40454 Rich Text Edit Control Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41352 SCOM Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-40478 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40488 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40489 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26441 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41345 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40450 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41357 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40456 Windows AD FS Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-40476 Windows AppContainer Elevation Of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-41347 Windows AppX Deployment Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40468 Windows Bind Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-40475 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-40443 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40466 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40467 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41334 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-40477 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38663 Windows exFAT File System Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38662 Windows Fast FAT File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41343 Windows Fast FAT File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41340 Windows Graphics Component Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26442 Windows HTTP.sys Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-40455 Windows Installer Spoofing Vulnerability Important 5.5 No No Info
CVE-2021-41336 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41331 Windows Media Audio Decoder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40462 Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41342 Windows MSHTML Platform Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2021-40463 Windows NAT Denial of Service Vulnerability Important 7.7 No No DoS
CVE-2021-40464 Windows Nearby Sharing Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-41332 Windows Print Spooler Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-36970 Windows Print Spooler Spoofing Vulnerability Important 8.8 No No Spoofing
CVE-2021-40460 Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2021-36953 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-40465 Windows Text Shaping Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40483 Microsoft SharePoint Server Spoofing Vulnerability Low 7.6 No No Spoofing
* CVE-2021-37973 Chromium: CVE-2021-37973 Use after free in Portals High N/A No No RCE
* CVE-2021-37974 Chromium: CVE-2021-37974 Use after free in Safe Browsing High N/A No Yes RCE
* CVE-2021-37975 Chromium: CVE-2021-37975 Use after free in V8 High N/A No Yes RCE
* CVE-2021-37977 Chromium: CVE-2021-37977 Use after free in Garbage Collection High N/A No No RCE
* CVE-2021-37978 Chromium: CVE-2021-37978 Heap buffer overflow in Blink High N/A No No RCE
* CVE-2021-37979 Chromium: CVE-2021-37979 Heap buffer overflow in WebRTC High N/A No No RCE
* CVE-2021-37980 Chromium: CVE-2021-37980 Inappropriate implementation in Sandbox High N/A No No RCE
* CVE-2021-37976 Chromium: CVE-2021-37976 Information leak in core Medium N/A No No Info
* CVE-2020-1971 OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference Important N/A No No DoS
* CVE-2021-3449 OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing Important N/A No No DoS
* CVE-2021-3450 OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT Important N/A No No Info

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

The remaining Critical-rated bugs fix remote code execution vulnerabilities in Hyper-V server. One of these bugs could allow a guest OS to execute code on the host OS if the guest can cause a memory allocation error within the guest VM. Microsoft provides no details on the other bug, but it could also be used for a guest-to-host escape.

Looking at the remaining 18 code execution bugs, most are within the Office family and require a user to open a specially crafted file. One notable exception is a remote code execution bug in the DNS server. No user interaction is required to exploit this bug, but it does require high privileges, knocking this from Critical rated to Important. Microsoft lists this as publicly known but doesn’t state where which is frustrating. Knowing how widespread the knowledge of this vulnerability could benefit network defenders in creating a true risk assessment for their enterprise. There are also a couple of SharePoint code execution bugs receiving patches, but both require local privileges to exploit. These bugs came through the ZDI program, and we’ll have more details about them in the future. Another interesting RCE bug impacts the MSHTML platform. Although Internet Explorer is now “retired”, it lives on as the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. There are even patches here for Windows 11. The legacy of IE hasn’t quite left us after all.

Moving on to the privilege escalation bugs, most require an attacker to log on to a system and run their own code to take advantage of an affected component. There’s another kernel bug here, and it is listed as publicly known – again with no additional information or details on the public disclosure. There’s also a privilege escalation in Exchange that also requires the attacker to be on an adjacent network. No user interaction is listed, so the likely scenario would be an insider threat.

There are five security feature bypass (SFB) bugs patched in this month’s release. The first is a vulnerability in RPC Runtime that could allow an attacker to bypass Extended Protection for Authentication provided by Service Principal Name (SPN) target name validation. A different bug in the Windows active directory could allow an attacker to bypass the Active Directory Federation Services (AD FS) BannedIPList entries for WS-Trust workflows. A different Active Directory bug could allow an attacker to bypass Active Directory domain permissions for Key Admins groups. The bypass in Intune requires the Intune Management Extension to be installed, but Microsoft provides no further details on what is being bypassed. Microsoft provides no details on what security feature is being bypassed on either the console Windows host or the Windows AppContainer Firewall. The lack of details around the container firewall vulnerability is especially frustrating since Microsoft lists this bug as publicly known.

The October release contains fixes for three new Denial-of-Service (DoS) bugs, each of which is significant. The first patch fixes a DoS vulnerability in TCP/IP that impacts all supported versions of Windows – including Windows 11. It’s not clear if this would allow an attacker to completely shut down a system, but without further details from Microsoft, network defenders should assume this worst-case scenario is likely. There’s a DoS bug in Exchange Server, and again, details are scarce. Since the CVSS score lists Availability=High, assume an attacker can abuse this bug to shut down an Exchange server. The final DoS bug getting fixed this month impacts Windows Network Address Translation (NAT) and was discovered by the same researchers that found the TCP/IP bug. Again, the CVSS score indicates this vulnerability could be used to take down a system, so test and deploy these patches quickly.

In addition to the one previously mentioned, there are 13 information disclosure bugs receiving fixes in this month’s release. Most of these simply result in leaks consisting of unspecified memory contents. However, if you’re running the web console of the System Center Operations Manager (SCOM), you definitely want to pay attention to the bug that could disclose file content on an affected system.

The October release is rounded out by fixes for six spoofing bugs and two cross-site scripting (XSS) bugs. Microsoft provides no details on what may be spoofed for any of these vulnerabilities, but the ones for Print Spooler and Exchange stand out. There are only a couple of print spooler bugs in this month’s release, so perhaps the days of PrintNightmare are finally behind us. The only clue we have for the impact of the Exchange spoofing bug is the CVSS rating of Confidentiality=High. This implies a total loss of confidentiality, which is not something you want to be associated with your Exchange server. The remaining spoofing bugs read very close to XSS bugs, including the rare Low severity fix for SharePoint Server.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV90001.

Looking Ahead

The next Patch Tuesday falls on November 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The October 2021 Security Update Review

Pwn2Own Austin 2021 - Schedule and Live Results

2 November 2021 at 01:53

Welcome to Pwn2Own Austin 2021! This year’s consumer-focused event is our largest ever with 58 total entries from 22 different contestants. As with all of our contests now, you can follow along live on YouTube and Twitch. With attempts going every 30 minutes, is should be an exciting few days.

As always, we started the contest with a random drawing to determine the order of attempts. You can view the results here. Our schedule is so packed, we’ve extended to contest to a fourth day. The complete schedule for the contest is below (all times Eastern [GMT -4:00]). We will update this schedule with results as they become available.

Note: All times subject to change - You can watch the event live here.

Jump to Day Two Results; Day Three Results; Day Four Results

Tuesday, November 2

For a quick review of Day One, check out our recap video here.

1000 - Sam Thomas (@_s_n_t) from team Pentest Limited (@pentestltd) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - Sam used a three-bug chain that included an unsafe redirect and a command injection to get code execution on the Western Digital My Cloud Pro Series PR4100. This successful demonstration earns him $40,000 and 4 Master of Pwn points.

1030 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the WAN interface of the Cisco RV340 in the router category

SUCCESS - Bien Pham leveraged a logic error to compromise the WAN interface of the Cisco RV340 router. He earns $30,000 and 3 Master of Pwn points.

1100 - The Synacktiv (@Synacktiv) team targeting the Canon ImageCLASS MF644Cdw in the printer category

SUCCESS - The Synacktiv team used a heap overflow to take over the Canon ImageCLASS printer and bring home the first Printer Category win in Pwn2Own history. They earn $20,000 and 2 points towards Master of Pwn.

1130 - trichimtrich and nyancat0131 targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi in the router category

SUCCESS - trichimtrich used an Out-Of-Bounds (OOB) Read to get a root shell via the LAN interface of the TP-Link AC1750 router. This earns him $5,000 and 1 point towards Master of Pwn.

1200 - The THEORI Team (@theori_io) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - The THEORI team combined an OOB Read and a stack-based buffer overflow to take over the Western Digital My Cloud Pro Series PR4100 NAS device. They used a unique bug chain, so they earn the full $40,000 and 4 points towards Master of Pwn.

1230 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the Cisco RV340 in the router category

SUCCESS - Bien Phamfrom Team Orca of Sea Security used a three-bug chain, including an auth bypass and a command injection, to take over the LAN interface of the Cisco RV340. This effor earns him $15,000 and 2 more Master of Pwn points.

1300 - Ken Gannon (@yogehi) of F-Secure Labs (@fsecurelabs) targeting the Samsung Galaxy S21 in the Mobile Phone category

FAILURE - Unfortunately, Ken could not get his exploit to work within the time allotted.

1400 - Bugscale targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - The exploit chain used by Bugscale included known bugs. They still earn $20,000 and 2 Master of Pwn points.

1430 - Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH), and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The exploit chain used by the CrowdStrike team included some known bugs. They still earn $10,000 and 1.5 Master of Pwn points.

1500 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Canon ImageCLASS MF644Cdw in the printer category

SUCCESS - The DEVCORE team used a stack-based buffer overflow to take over the Canon ImageCLASS printer. This unique bug chain earned them $20,000 and 2 Master of Pwn points.

1530 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category

SUCCESS - Bien Pham finishes Day 1 by using an OOB Read bug to take control of the TP-Link AC1750 router via the LAN interface. This earns him another $5,000 and 1 Master of Pwn point.

1630 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Sonos One Speaker in the home automation category

SUCCESS - The DEVCORE team used an integer underflow to gain code execution on the Sonos One Speaker. They earn $60,000 and 6 points towards Master of Pwn.

1700 - Gaurav Baruah (@_gauravb_) targeting the WAN interface of the Cisco RV340 in the router category

COLLISION - A partial collision. One of the bugs used by Gaurav was previously known. He still $22,500 and 2.5 Master of Pwn points.

1730 - The THEORI Team (@theori_io) targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

SUCCESS - The THEORI Team used a stack-based buffer overflow to get code execution on the 3TB My Cloud Home Personal Cloud from WD. This earns them $40,000 and 4 Master of Pwn points, giving them a 1 day total of $80,000 and 8 points.

1800 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the HP Color LaserJet Pro MFP M283fdw in the printer category

SUCCESS - The DEVCORE team used a stack-based buffer overflow to gain code execution on the HP Color LaserJet Pro. They earn another $20,000 and 2 Master of Pwn points, bringing their day 1 total to $100,000 and 10 Master of Pwn points.

Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.

— trichimtrich and nyancat0131 targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - trichimtrich leveraged an integer overflow to gain code execution via the LAN interface of the NETGEAR R6700v3 router. They win another $5,000 and 1 more point towards Master of Pwn.

— Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the WAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, Team Flashback could not get their exploit to work within the time allotted.

— Bugscale targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The Bugscale team combined an authorization bypass with a command injection bug to get code execution on the LAN interface of the NETGEAR router. They earn $5,000 and 1 Master of Pwn point.

— crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201, and friends from Mofoffensive Research Team targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The Mofoffensive Research Team combining a heap overflow and a stack-based buffer overflow to gain code execution on the LAN interface of the NETGEAR R6700 router. Their efforts earn $5,000 and 1 Master of Pwn point.

Wednesday, November 3

For a video overview of the Day Two results, see here.

1000 - NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - The NCC Group leveraged a memory corruption bug three different ways (and overcame a timing issue) to get code execution on the Western Digital My Cloud Pro Series PR4100. They earn themselves $40,000 and 4 Master of Pwn points.

1030 - Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the WAN interface of the Cisco RV340 in the router category

SUCCESS - The Flashback team of Pedro and Redek used an impressive stack-based buffer overflow to get code execution on the WAN interface of the Cisco RV340 router. They earn $30,000 and 3 Master of Pwn points.

1100 - Nicolas Devillers (@nikaiw), Jean-Romain Garnier, and Raphael Rigo (@_trou_) targeting the Canon ImageCLASS MF644Cdw in the printer category

SUCCESS - The team of Nicolas Devillers, Jean-Romain Garnier, and Raphael Rigo obtained code execution on the Canon ImageCLASS printer through a stack-based buffer overflow. This unique bug chain earns them $20,000 and 2 Master of Pwn points.

1130 - crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201, and friends from Mofoffensive Research Team targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category

FAILURE - Unfortunately, the Mofoffensive Team could not get his exploit to work within the time allotted.

1200 - The Synacktiv (@Synacktiv) team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - The Synacktiv team leveraged a configuration error bug to get code execution on the PR411. They earn $40,000 and 4 Master of Pwn points.

1230 - Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the LAN interface of the Cisco RV340 in the router category

SUCCESS - Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab used 3 unique bugs, incuding an authorization bypass and a commange injection, to get code execution on the Cisco RV340 via the LAN interface. They earn $15,000 and 2 Master of Pwn points.

1300 - The STARLabs Team targeting the Samsung Galaxy S21 in the mobile phone category

COLLISION - The exploit chain used by the STARLabs team included a bug known by the vendor. They still earn $25,000 and 2.5 Master of Pwn points.

1400 - The Synacktiv (@Synacktiv) team targeting the Sonos One Speaker in the home automation category

SUCCESS - The Synacktiv team used a stack-based buffer over to compromise the Sonos One speaker and play us a tune. They earn $60,000 and 6 Master of Pwn points.

1430 - trichimtrich and nyancat0131 targeting the WAN interface of the Cisco RV340 in the router category

SUCCESS - trichmitrich used nearly all the time on the clock, but his command injection bug is unique. His takeover of the Cisco RV340 via the WAN interface earns him $30,000 and 3 Master of Pwn points.

1500 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - The DEVCORE team successfully exploited the WD PR411, but the bugs they leveraged had been previously used in the competition. Their work still earns them $20,000 and 2 Master of Pwn points.

1530 - The STARLabs Team targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category

COLLISION - The STARLabs team exploited the LAN interface of the TP-Link AC1750 router, but they used a known bug. This still nets them $2,500 and .5 Master of Pwn points.

1600 - The Synacktiv (@Synacktiv) team targeting the Lexmark MC3224i in the printer category

SUCCESS - The Synacktiv team combined three unique bugs, including an unprivileged access bug and a command injection bug, to get code execution on the Lexmark MC3224i printer. They earn $20,000 and 2 more Master of Pwn points.

1700 - The STARLabs Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - The exploit chain used by Nguyễn Hoàng Thạch (hi_im_d4rkn3ss) of STARLabs team included bugs previously used in the contest. They still earn $20,000 and 2 Master of Pwn points.

1745 - The Synacktiv (@Synacktiv) team targeting the HP Color LaserJet Pro MFP M283fdw in the printer category

COLLISION - The exploit chain used by the Synacktiv team included a bug used earlier in the competition. They still earn $10,000 and 1 Master of Pwn point.

Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.

Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

FAILURE - Unfortunately, the IoT Inspector Research team could not get their exploit to work within the time allotted.

— The STARLabs Team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

COLLISION - The exploit chain used by Nguyễn Hoàng Thạch (hi_im_d4rkn3ss) and Phan Thanh Duy (PTDuy) of STARLabs took over the 3TB My Cloud Home Personal Cloud from WD using a bug previously seen in the competition. They still earn $20,000 and 2 Master of Pwn points.

— Diffense Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - In their Pwn2Own debut, the Diffense Team runs into a collision. They were able to exploit the Western Digital My Cloud Pro Series PR4100, but the bug they leveraged was also used on Day 1. They still earn $20,000 and two Master of Pwn points in their debut effort.

— Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Lexmark MC3224i in the printer category

SUCCESS - The DEVCORE team used a code injection bug to take over the Lexmark MC3224i printer. This unique bug chain earned them $20,000 and 2 Master of Pwn points.

— NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) targeting the Lexmark MC3224i in the printer category in the printer category

SUCCESS - The NCC Group again needed multiple attempts, but they successfully exploited the Lexmark MC3224i with a file write bug. The earn $20,000 and 2 Master of Pwn points.

— Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the WAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, Bien could not get his exploit to work within the time allotted.

— Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the NETGEAR R6700v3 in the router category

COLLISION - The two-bug exploit chain used by Bien included bugs used earlier in the competition. He still earn $2,500 and .5 Master of Pwn points.

— Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the WAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, the IoT Inspector Research team could not get their exploit to work within the time allotted.

— Diffense Team targeting the LAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, the Diffense Team could not get their exploit to work within the time allotted.

Thursday, November 4

For a quick overview of Day Three results, see the recap video here.

1000 - Martin Rakhmanov (@mrakhmanov) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - Martin used a unique two-bug chain that included a command injection to compormise the NAS device. He earns himself $40,000 and 4 points towards Master of Pwn.

1030 - The Synacktiv (@Synacktiv) team targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The three-bug exploit chain used by the Synacktiv team included some known bugs. They still earn $7,500 and 1 Master of Pwn points.

1100 - Alexander Bolshev (@dark_k3y), Timo Hirvonen (@TimoHirvonen), and Dmitry Janushkevich (@InfoSecDJ) of F-Secure Labs (@fsecurelabs) targeting the HP Color LaserJet Pro MFP M283fdw in the printer category

SUCCESS - The team from F-Secure Labs used a single stack-based buffer overflow to take over the printer and turn it into a jukebox. They earn $20,000 and 2 Master of Pwn points.

1200 - The STARLabs Team targeting the beta version of the 3TB My Cloud Home Personal Cloud from WD in the NAS category

SUCCESS - The STARLabs team of Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) combined an OOB Read and a heap-based buffer overflow to exploit the beta version of the 3TB My Cloud Home Personal Cloud from WD. They earn $45,000 and 5 Master of Pwn points.

1230 - Stephen Fewer (@stephenfewer) of Relyze Software Limited (www.relyze.com) targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The four-bug exploit chain used by the Stephen included some known bugs. His successful demonstration still earns him $10,000 and 1.5 Master of Pwn points.

1300 - Sam Thomas (@_s_n_t) from team Pentest Limited (@pentestltd) targeting the Samsung Galaxy S21 in the mobile phone category

SUCCESS - Sam used a three-bug chain to get code execution on the Sumsung Galaxt S21. This successful demonstration earns him $50,000 and 5 Master of Pwn points.

1400 - The Synacktiv (@Synacktiv) team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

COLLISION - The Synacktiv team used a two-bug chain to compromise the 3TB My Cloud Home Personal Cloud, but one of the bugs had been used prior in the contest. Their demonstration still earns them $20,000 and 2 Master of Pwn points.

1500 - Chris Anastasio (@mufinnnnnnn) targeting the Lexmark MC3224i in the printer category

COLLISION - Chris used a four-bug chain to compromise the Lexmark printer, but one of the bugs had been used prior in the contest. His efforts still earns him $17,500 and 1.75 Master of Pwn points.

1600 - The STARLabs Team targeting the LAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, the STARLabs Team could not get their exploit to work within the time allotted.

1700 - Stephen Fewer (@stephenfewer) of Relyze Software Limited (www.relyze.com) targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - Stephen used an uninitialized variable to get a root shell via the LAN interface of the NETGEAR R6700v3 router. He earns $5,000 and 1 Master of Pwn point.

Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.

The Synacktiv (@Synacktiv) team targeting the WAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The Synactiv team used an improper certificate validation and a stack-based buffer overflow to compromise the NETGEAR router via the WAN interface. They earn $20,000 and 2 critical Master of Pwn points.

— Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the LAN interface of the NETGEAR R6700v3 in the router category

COLLISION - Pedro and Radek leveraged 2 bugs to exploit the NETGEAR R6700 router via the LAN interface, but the path traversal they chose was an N-day. This still earns them $3,750 and .75 Master of Pwn points.

Friday, November 5

For a quick overview of Day Four results, see the recap video here.

1000 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

SUCCESS - The DEVCORE team combined an OOB Read and an OOB Write to sucessfully exploit the 3TB My Cloud Home Personal Cloud from WD. This unique bug chain earned them $40,000 and 4 Master of Pwn points.

1030 - Diffense Team targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The Diffense Team leveraged 4 bugs to exploit the Cisco RV340 router via the LAN interface, but some of the bugs had been seen earlier in the conference. This still earns them $10,000 and 1.5 Master of Pwn points.

1100 - Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH), and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence targeting the Lexmark MC3224i in the printer category

COLLISION - The team from CrowdStrike had no problem taking over the Lexmark printer using a three-bug chain, however all of the bused used had been seen earlier in the contest. Their effort wins them $10,000 and 1 Masrer of Pwn point.

1200 - The NullRiver team of Xin’an Zhou, Xiaochen Zou, Zhiyun Qian targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The team used a pair of bugs to execute code via the LAN interface. They earn $5,000 and 1 Master of Pwn point.

1230 - Final wrap-up and the crowning of the Master of Pwn


Congratulations to the Synacktiv team for being crowned Master of Pwn! It was a tight race, but tehir combined efforts held off all challengers.

Thanks again to our partners Western Digital as well as our sponsor Synology. Thanks also to the researchers who participate and to the vendors for providing fixes for what’s discovered during the contest. As a reminder, vendors have 90 days to produce a fix for all vulnerabilities reported.

Pwn2Own Austin 2021 - Schedule and Live Results

The November 2021 Security Update Review

9 November 2021 at 18:26

The second Tuesday of the month is upon us, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for November 2021

For November, Adobe released only three patches correcting four CVEs in Creative Cloud Desktop, InCopy, and RoboHelp. The patch for Creative Cloud fixes a single Important-rated denial-of-service (DoS) bug. The InCopy patch fixes two bugs, including a Critical-rated code execution. The release for RoboHelp Server is listed as a security hotfix rather than a security patch, but it’s not clear why there’s a difference in the nomenclature. Either way, a Critical-rated arbitrary code execution bug is being fixed, so if you still use RoboHelp, apply this hotfix.

If this seems especially light, Adobe did release fixes for more than 80 CVEs in late October for critical code execution flaws, privilege escalation, denial-of-service, and memory leaks across multiple products. None of these fixes were listed as under active attack, so it’s unclear why Adobe released so many patches out of band.

None of the patches released today by Adobe are listed as being publicly known or under active attack at the time of release.

Microsoft Patches for November 2021

For November, Microsoft released patches today for 55 new CVEs in Microsoft Windows and Windows Components, Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V, Windows Defender, and Visual Studio.

Historically speaking, 55 patches in November is a relatively low number. Last year, there were more than double this number of CVEs fixed. Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors. It seems odd that Microsoft would be releasing fewer patches after seeing nothing but increases across the industry for years.

Of the CVEs patched today, six are rated Critical and 49 are rated as Important in severity. Four of these bugs came through the ZDI program. Four of these bugs are listed as publicly known and two are listed as under active exploit at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the two bugs listed as under active attack:

-       CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability
This Exchange bug is listed by Microsoft as currently under active attack; however, authentication is listed as a requirement. As with all Exchange bugs in the wild, we urge Exchange admins to test and deploy the patches as soon as possible. Microsoft has also published this blog to aid Exchange administrators with their patch deployment.

-       CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability
This patch fixes a bug that could allow code execution when opening a specially crafted file with an affected version of Excel. This is likely due to loading code that should be behind a prompt, but for whatever reason, that prompt does not appear, thus bypassing that security feature. It’s unclear if it’s a malicious macro or some other form of code loading within a spreadsheet, but I would be reluctant to open any unexpected attachments for a while. This is especially true for users of Office for Mac because there currently is no patch available for Mac users. They must wait for a future update to be protected. It’s also interesting to note Microsoft lists this as under active attack, but the CVSS rating lists the exploit code maturity as “proof of concept”.

-       CVE-2021-26443 – Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
This patch addresses a guest-to-host escape through the virtual machine bus (VMBus). A user on a guest VM can send a specially crafted communication on the VMBus channel to the host OS that could result in arbitrary code execution on the underlying host. With a CVSS of 9.0, this is one of the more severe vulnerabilities fixed this month. Based on the CVE number, this has been known to Microsoft for a few months.

-       CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability
While not as severe as a bug in the RDP Server, this bug in the RDP client is still worth prioritizing. If an attacker can lure a user to connect to a malicious RCP server, they could execute code on the connecting RDP client system. Again, this doesn’t reach the level of the Bluekeep bugs, but definitely something to watch.

Here’s the full list of CVEs released by Microsoft for November 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-42292 Microsoft Excel Security Feature Bypass Vulnerability Important 7.8 No Yes SFB
CVE-2021-42321 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No Yes RCE
CVE-2021-43208 3D Viewer Remote Code Execution Vulnerability Important 7.8 Yes No RCE
CVE-2021-43209 3D Viewer Remote Code Execution Vulnerability Important 7.8 Yes No RCE
CVE-2021-38631 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 4.4 Yes No Info
CVE-2021-41371 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 4.4 Yes No Info
CVE-2021-42279 Chakra Scripting Engine Memory Corruption Vulnerability Critical 4.2 No No RCE
CVE-2021-42298 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-42316 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Critical 8.7 No No RCE
CVE-2021-26443 Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability Critical 9 No No RCE
CVE-2021-3711 OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow Critical 9.8 No No RCE
CVE-2021-38666 Remote Desktop Client Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42282 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42302 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-42303 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-42304 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-26444 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-42301 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-42323 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-41374 Azure Sphere Information Disclosure Vulnerability Important 6.7 No No Info
CVE-2021-41375 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2021-41376 Azure Sphere Information Disclosure Vulnerability Important 2.3 No No Info
CVE-2021-42300 Azure Sphere Tampering Vulnerability Important 6 No No Tampering
CVE-2021-41366 Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42277 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-41373 FSLogix Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41368 Microsoft Access Remote Code Execution Vulnerability Important 6.1 No No RCE
CVE-2021-42275 Microsoft COM for Windows Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-41351 Microsoft Edge (Chrome based) Spoofing on IE Mode Important 4.3 No No Spoofing
CVE-2021-40442 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41349 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-42305 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-42276 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-42296 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41367 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41370 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42283 NTFS Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-41372 Power BI Report Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38665 Remote Desktop Protocol Client Information Disclosure Vulnerability Important 7.4 No No Info
CVE-2021-42322 Visual Studio Code Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42319 Visual Studio Elevation of Privilege Vulnerability Important 4.7 No No EoP
CVE-2021-42286 Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41356 Windows Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-36957 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41377 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42280 Windows Feedback Hub Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-42288 Windows Hello Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-42284 Windows Hyper-V Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-42274 Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-41379 Windows Installer Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-42285 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41378 Windows NTFS Remote Code Execution Vulnerability Important 7.8 No No RCE

Looking at the remaining Critical-rated patches for November, the entries for Chakra and Dynamics (On-Prem) stand out. The Chakra patch fixes a bug that could allow an attacker to execute their own code on affected systems, usually in a browse-and-own or open-and open-and-own scenario. Microsoft doesn’t make it clear how the code execution on Dynamics would occur but considering the types of infrastructure and supply chains managed by Dynamics, this Critical-rated bug should be taken seriously.  The patch for Defender should be of concern for those disconnected from the Internet, but for others will likely not need to take any action. Microsoft regularly updates the Malware Protection Engine, so if your system is connected to the Internet, it should have already received an update. You should still verify the version and manually apply the update if needed. Finally, Microsoft is releasing its update of an OpenSSL patch from August. This is a good reminder that if you ship open-source code, you should always check to ensure you’re shipping the latest, most secure version.

Moving on to the other code execution bugs, two can be found in the 3D Viewer. These were reported by ZDI’s Mat Powell, but Microsoft failed to meet our disclosure timeline. That’s why these are listed as publicly known as we published some details about these bugs back in June and July. The other code execution bugs mostly reside in one of the Office components. In these cases, opening a specially crafted file could lead to code execution. The final code exec bug resides in NTFS, but it’s not clear from Microsoft how this could work. They list no user interaction required, while also listing the vector as local. This removes the open-and-own scenario as well as the browse-to-a-remote-folder vector. This bug came through the THEORI team, who had quite the showing at the recent Pwn2Own Austin. Hopefully, they will release additional details in the near future.

There are 20 elevation of privilege (EoP) bugs patches in this release, with the most severe impacting NTFS, Active Directory Domain Service, and Azure RTOS. The NTFS bugs are confusing as they list no user interaction needed while still being a local vector with low privileges required. Those are the same ratings for the NTFS RCE bug, so it’s not clear how these are different. The patches for ADDS also should not be ignored as bugs here could make lateral movement within an enterprise easier. It’s also not clear how many people are using Azure RTOS, but they have a tough road ahead of them. They can’t just apply a patch. Instead, they will need to recompile their project with updated USBX source code then redeploy the new code. Failure to do so could result in an EoP if an attacker plugged in a malicious USB device. The remaining EoP patches fix more traditional issues where an attacker is required to log on to a system and run their own code to take advantage of an affected component.

There are some heavy-hitting information disclosure bugs being patched this month. First up are three patches for Azure RTOS that could lead to info disclosure, although Microsoft does not state what type of information could be disclosed. Again, a recompile and redeploy is required to stop a malicious USB attack. More disturbingly, there are two publicly known info disclosure bugs in RDP that could allow read access to Windows RDP client passwords by RDP administrators. That could be a game-changer to inside threats since we all know users would NEVER reuse a password – at least that’s what they swear to me (and this time, they mean it).

There’s also an info disclosure bug being fixed in FSLogix. This bug could allow an attacker to disclose user data redirected to the profile or Office container via FSLogix Cloud cache, which includes user profile settings and files. Surprisingly, only one of the 10 info disclosure bugs results in a leak consisting of unspecified memory contents.

Three info disclosure impact Azure Sphere devices, but these devices should receive updates automatically if they are connected to the internet. There’s also a tampering bug being fixed in Azure Sphere, but again, provided you are connected to the internet, there’s no action to take.

Looking at patches for denial-of-service (DoS) bugs, the most important is the one impacting Windows – not a subcomponent – Windows. A remote attacker with no permissions could create a DoS on all supported Windows versions (including Windows 11). It’s not clear if this would result in a system hang or a reboot, but either way, do not bypass this impactful DoS. The other two DoS bugs impact Hyper-V, and one of those requires GRE to be enabled.

Besides the Excel bug already mentioned, there’s only one other Security Feature Bypass (SFB) being fixed in November. This impacts Windows Hello on Windows 10 and Server 2019 systems. No details are provided, but just by the component and impact, it seems there’s a way to access affected systems without using a PIN, facial recognition, or fingerprint. If you use this feature for authentication, you may want to disable it until you are sure all affected systems are patched.

Finally, the November release contains fixes for four spoofing bugs, including one for Exchange that must be obvious when you look for it as eight different researchers are all acknowledged by Microsoft for reporting it. Of course, they provide no info on what sort of spoofing is being fixed by this patch, the other Exchange spoofing bug, or by the Edge (Chrome-based) spoofing bug while on IE Mode. Microsoft does state the fix for the Power BI Report Server addresses a Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability with the template file.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV90001.

Looking Ahead

The next Patch Tuesday falls on December 14, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The November 2021 Security Update Review

The December 2021 Security Update Review

14 December 2021 at 18:37

The final second Tuesday of the year is here, and this month, it brings much more than just patches from Microsoft and Adobe. Take a break from your holiday preparations and join us we review the details of the latest security patches.

CVE-2021-44228: Log4Shell (Log4j)

Unless you have been hiding under a rock with your eyes closed and your fingers in your ears, you have heard of a recently disclosed vulnerability in the Java logging library known as Apache Log4j. The vulnerability could allow remote code execution on affected applications and servers by logging a certain string. Of course, the biggest issue is just how large the list of affected application is. No one has a good answer other than “a whole lot,” as this library is nearly ubiquitous. Here’s how an infection flow might look:

Affected products are still being identified and range from web services like Apache Struts to games like Minecraft to banking and financial applications. If you run a server built on open-source software, there’s a good chance you are impacted by this vulnerability. Trend Micro has published this blog, which details the bug and provides IOCs and guidance to detect attacks. So far, we’re seeing active exploits dropping Mirai variants and Kinsing coin miners on affected servers. Check with all the vendors in your enterprise to see if they are impacted and what patches are available. We’ve also released a tool you can use to scan your enterprise for affected systems. You can access it at https://log4j-tester.trendmicro.com/.

Apple Patches for December 2021

While Apple doesn’t release on a second Tuesday cycle, they did release significant patches yesterday that shouldn’t be ignored. New updates are available for iOS and iPad OS, macOS Monterey, macOS Big Sur, tvOS, and watchOS. There’s also a security update for Catalina. While none of the bugs patched are listed as being under active attack, several of these vulnerabilities were reportedly used during the last Tianfu Cup. Exploits demonstrated at this contest have received a lot of attention in the past, and this bunch will likely receive the same amount of scrutiny from researchers and attackers alike. 

Adobe Patches for December 2021

For December, Adobe released 11 patches addressing 60 CVEs in Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager, and Premiere Rush. At total of 31 of these bugs were reported by ZDI vulnerability researcher Mat Powell. The most severe of these updates impacts Adobe Experience Manager. This patch fixes eight different bugs, including one rated as CVSS 9.8 and several stored cross-site scripting (XSS) issues. The update for Premiere Rush fixes 16 bugs, many of which are rated Critical. However, there are no CVSS scores listed on this one. Considering many of the bugs result in arbitrary code execution, treat them as you would any other high-scoring vuln.

The patch for Premiere Pro fixes only five CVEs, but one of those is a Critical-rated Out-of-Bounds (OOB) write that could allow arbitrary code execution. The specific flaw exists within the parsing of 3GP files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. The update for After Effects covers 10 CVEs, include two that could allow code execution. Most of the update fixes privilege escalation bugs. The Dimension patch also fixes three Critical-rated code execution bugs to along with a few privilege escalations.

The patch for Adobe Audition fixes three Moderate bugs, while the Lightroom fix addresses a single privilege escalation. The patch for Media Encoder fixes five bugs, two of which are rated Critical and could allow remote code execution. Similarly, the patch for Prelude includes a fix for one Critical code execution bug to go along with an Important LPE. The update for Connect addresses a single CSRF bug. The patch for Photoshop fixes two Critical and one Important-rated bug. The Critical bugs could allow code execution if you open a specially crafted file.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Google Chrome Patches for December 2021

Google is another vendor that doesn’t follow the patch Tuesday release cycle but still managed to release a significant update yesterday. The Chrome Stable channel has been updated to 96.0.4664.110, and the patch includes five security fixes. One of these bugs, CVE-2021-4102, a use-after-free bug in V8, is listed as having exploits in the wild. Three other High severity and one Critical severity bugs are also addressed. Tis the season to be shopping online. Make sure your browser is up to date as you do so. These bugs are not included in the Edge (Chromium-based) updates discussed below. If you’re interested in other V8 bugs, check out this series of blogs recently published by ZDI vulnerability researcher Hossein Lotfi.

Microsoft Patches for December 2021

For December, Microsoft released patches today for 67 new CVEs in Microsoft Windows and Windows Components, ASP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack. This is in addition to the 16 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the December total to 83 CVEs.

This brings the total number of CVEs patched by Microsoft this year to 887 – a 29% decrease from 2020. This excludes the CVEs consumed from Chrome for the Edge (Chromium-based) browser. Based on recent reports, the Microsoft bug bounty program received approximately the same number of vulnerability reports. It’s unclear if Microsoft is combining multiple submissions into a single CVE or if there is a significant back log of patches just waiting to be released. It could lead to a rough 2022 for patching. At least there are no Exchange Server patches to worry about over the holidays.  

Of the CVEs patched today, seven are rated Critical and 60 are rated as Important in severity. A total of 10 of these bugs came through the ZDI program. Five of these bugs are listed as publicly known, and one is listed as being publicly exploited at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the 0-day that was patched:

-       CVE-2021-43890 - Windows AppX Installer Spoofing Vulnerability
Emotet is like that holiday guest that just won’t take a hint and leave. This patch fixes a bug in the AppX installer that affects Windows. Microsoft states they have seen the bug used in malware in the Emotet/Trickbot/Bazaloader family. An attacker would need to craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. It seems and code execution would occur at the logged-on user level, so attackers would likely combine this with another bug to take control of a system. This malware family has been going for some time now. It seems like it will be around for a bit longer.

-       CVE-2021-43215 – iSNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Internet Storage Name Service (iSNS) server that could allow remote code execution if an attacker sends a specially crafted request to an affected server. If you aren’t familiar with it, iSNS is a protocol that enables automated discovery and management of iSCSI devices on a TCP/IP storage network. In other words, if you’re running a SAN in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually. This bug is one of three CVSS 9.8 bugs fixed this month. If you have a SAN, prioritize testing and deploying this patch. 

-       CVE-2021-43899 – Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability
This update fixes a vulnerability that could allow an unauthenticated attacker to execute their code on an affected device. The attacker would need to be on the same network as the Microsoft 4K Display Adapter. If they are, they could send specially crafted packets to the affected device. Patching this won’t be an easy chore. To be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can the use the “Update & Security” section of the app to download the latest firmware to mitigate this bug. This is the second CVSS 9.8 bug being patched this month.

-       CVE-2021-43907 – Visual Studio Code WSL Extension Remote Code Execution Vulnerability
This is the final CVSS 9.8 vulnerability being patched this month. The impacted component lets users use the Windows Subsystem for Linux (WSL) as a full-time development environment from Visual Studio Code. It allows you to develop in a Linux-based environment, use Linux-specific toolchains and utilities, and run and debug Linux-based applications all from within Windows. That sort of cross-platform functionality is used by many in the DevOps community. This patch fixes a remote code execution bug in the extension, but Microsoft doesn’t specify exactly how that code execution could occur. They do list it as unauthenticated and requires no user interaction, so if you use this extension, get this update tested and deployed quickly.

-       CVE-2021-42309 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a bug reported through the ZDI program. The vulnerability allows a user to elevate and execute code in the context of the service account. An attacker would need “Manage Lists” permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions. This bug allows an attacker to bypass the restriction against running arbitrary server-side web controls. This is similar to the previously patched CVE-2021-28474. However, in this case, the unsafe control is “smuggled” in a property of an allowed control.

Here’s the full list of CVEs released by Microsoft for December 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-43890 Windows AppX Installer Spoofing Vulnerability Important 7.1 Yes Yes Spoofing
CVE-2021-43240 NTFS Set Short Name Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-43893 Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability Important 7.5 Yes No EoP
CVE-2021-43883 Windows Installer Elevation of Privilege Vulnerability Important 7.1 Yes No EoP
CVE-2021-43880 Windows Mobile Device Management Elevation of Privilege Vulnerability Important 5.5 Yes No EoP
CVE-2021-41333 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-43215 iSNS Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-42310 Microsoft Defender for IoT Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-43905 Microsoft Office app Remote Code Execution Vulnerability Critical 9.6 No No RCE
CVE-2021-43233 Remote Desktop Client Remote Code Execution Vulnerability Critical 7 No No RCE
CVE-2021-43907 Visual Studio Code WSL Extension Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-43217 Windows Encrypting File System (EFS) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-43877 ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43225 Bot Framework SDK Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2021-43219 DirectX Graphics Kernel File Denial of Service Vulnerability Important 7.4 No No DoS
CVE-2021-40452 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40453 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41360 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43892 Microsoft BizTalk ESB Toolkit Spoofing Vulnerability Important 7.1 No No Spoofing
CVE-2021-42312 Microsoft Defender for IOT Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43888 Microsoft Defender for IoT Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-41365 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-42311 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-42313 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-42314 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-42315 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-43882 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2021-43889 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-43256 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-42293 Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2021-43216 Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-43222 Microsoft Message Queuing Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-43236 Microsoft Message Queuing Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-43875 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43255 Microsoft Office Trust Center Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-43896 Microsoft PowerShell Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-42294 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-42309 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-42320 Microsoft SharePoint Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2021-43242 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-43227 Storage Spaces Controller Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-43235 Storage Spaces Controller Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-43228 SymCrypt Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-42295 Visual Basic for Applications Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-43891 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43908 Visual Studio Code Spoofing Vulnerability Important N/A No No Spoofing
CVE-2021-43243 VP9 Video Extensions Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-43214 Web Media Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43207 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43226 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43224 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-43248 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43245 Windows Digital TV Tuner Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43232 Windows Event Tracing Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43234 Windows Fax Service Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43246 Windows Hyper-V Denial of Service Vulnerability Important 5.6 No No DoS
CVE-2021-43244 Windows Kernel Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-40441 Windows Media Center Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43229 Windows NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43230 Windows NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43231 Windows NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43239 Windows Recovery Environment Agent Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-43223 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43238 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43237 Windows Setup Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43247 Windows TCP/IP Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
* CVE-2021-4052 Chromium: CVE-2021-4052 Use after free in web apps High N/A No No RCE
* CVE-2021-4053 Chromium: CVE-2021-4053 Use after free in UI High N/A No No RCE
* CVE-2021-4054 Chromium: CVE-2021-4054 Incorrect security UI in autofill High N/A No No RCE
* CVE-2021-4055 Chromium: CVE-2021-4055 Heap buffer overflow in extensions High N/A No No RCE
* CVE-2021-4056 Chromium: CVE-2021-4056: Type Confusion in loader High N/A No No RCE
* CVE-2021-4057 Chromium: CVE-2021-4057 Use after free in file API High N/A No No RCE
* CVE-2021-4058 Chromium: CVE-2021-4058 Heap buffer overflow in ANGLE High N/A No No RCE
* CVE-2021-4059 Chromium: CVE-2021-4059 Insufficient data validation in loader High N/A No No RCE
* CVE-2021-4061 Chromium: CVE-2021-4061 Type Confusion in V8 High N/A No No RCE
* CVE-2021-4062 Chromium: CVE-2021-4062 Heap buffer overflow in BFCache High N/A No No RCE
* CVE-2021-4063 Chromium: CVE-2021-4063 Use after free in developer tools High N/A No No RCE
* CVE-2021-4064 Chromium: CVE-2021-4064 Use after free in screen capture High N/A No No RCE
* CVE-2021-4065 Chromium: CVE-2021-4065 Use after free in autofill High N/A No No RCE
* CVE-2021-4066 Chromium: CVE-2021-4066 Integer underflow in ANGLE High N/A No No RCE
* CVE-2021-4067 Chromium: CVE-2021-4067 Use after free in window manager High N/A No No RCE
* CVE-2021-4068 Chromium: CVE-2021-4068 Insufficient validation of untrusted input in new tab page Low N/A No No Spoofing

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the rest of the release, the 10 patches – one Critical and nine Important – for the Microsoft Defender for IOT stand out. Several of these were reported to the ZDI program by an anonymous researcher. One of the more severe bugs exists in the password reset mechanism. A password reset request consists of a signed JSON document, a signing certificate, and an intermediate certificate that was used to sign the signing certificate. The intermediate certificate is supposed to chain up to a root CA certificate built into the appliance. Due to a flaw in this process, an attacker can reset someone else’s password. Patching these bugs requires a sysadmin to take action on the device itself. Automatic updates are available here.

Moving on to the other Critical-rated bugs, there’s another RDP bug, but this one is in the client instead of the server. There’s a bug in the Microsoft Office app that could allow unauthenticated remote code execution, but it’s not clear how since Microsoft lists user interaction is required. You will likely be automatically updated through the Microsoft Store, but if you have disabled automatic store updates, you’ll need to update manually through the store. The final Critical-rated bug affects the Windows Encrypting File System (EFS). An attacker could cause a buffer overflow that would leading to unauthenticated non-sandboxed code execution, even if the EFS service isn’t running at the time. EFS interfaces can trigger a start of the EFS service if it is not running.

Of the remaining remote code execution bugs, only a few stand out. A few are in the HEVC Video Extensions and equate to either open-and-own or browse-and-own bugs. Similar to the Office app, the update will be delivered through the Windows Store. If you have disabled Store updates or are in a disconnected environment, you’ll need to use either the Microsoft Store for Business or the Microsoft Store for Education. The same goes for the Web Media Extensions. There are a few RCE bugs in Office applications, but those get updates through the normal methods. Same goes for the Windows Fax service, which is a nice reminder that faxes are a thing that some people still use.

There are 21 patches addressing Elevation of Privilege (EoP) bugs, including all five publicly known vulnerabilities. As always, Microsoft does not give any indication on what information about these bugs is public or where the disclosure was made. For the most part, these bugs require an attacker to log on to an affected system and run a specially crafted application to elevate privileges. A couple of other notable EoP bugs were reported to the ZDI by Abdelhamid Naceri. The first occurs in Windows Remote Access and the second occurs in the Windows Update Assistant. By creating a directory junction, an attacker can abuse Windows Update Assistant to change the DACL on an arbitrary file. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM.

The December release includes fixes for 10 information disclosure bugs. For nine of these bugs, the vulnerabilities result in leaks consisting of unspecified memory contents. However, for the info disclosure bug in Microsoft Defender for IoT, an attacker could disclose device security information, which includes things like the security score, any outdated operating systems, and malware infections.

There are three denial-of-service (DoS)-related patches fixing bugs in Hyper-V, SymCrypt, and the DirectX Graphics component. No additional details are provided by Microsoft regarding these bugs.

This month’s release is rounded out by seven patches for spoofing bugs. Of note, the fix for the Microsoft Office Trust Center requires multiple patches to completely address the bug. On the upside, they can be installed in any order. The other spoofing bugs exist in SharePoint and PowerShell, but no additional details are available.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on January 11, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean! Merry Christmahanakwanzika!

The December 2021 Security Update Review

The January 2022 Security Update Review

11 January 2022 at 18:24

The first patch Tuesday of the year is here, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for January 2022

For January, Adobe released 5 patches addressing 41 CVEs in Acrobat and Reader, Illustrator, Adobe Bridge, InCopy, and InDesign. A total of 22 of these bugs came through the ZDI program. The update for Acrobat and Reader fixes a total of 26 bugs, the worst of which could lead to remote code execution (RCE) if a user opened a specially crafted PDF. Several of these bugs were demonstrated at the Tianfu Cup, so it would not be unexpected to see these used in the wild somewhere down the line. The update for InCopy fixes three Critical-rated RCE bugs and one Important-rated privilege escalation. The patch for InDesign corrects two Critical-rated Out-of-bounds (OOB) Write bugs that could lead to code execution plus a Moderate Use-After-Free privilege escalation. The fix for Adobe Bridge covers six bugs, but only one OOB Write is listed as Critical. The others are a mix of privilege escalations and memory leaks. Finally, the patch for Illustrator covers two OOB Read bugs – neither of which can be used for code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for January 2022

For January, Microsoft released patches today for 96 new CVEs in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP). This is in addition to the 24 CVEs patched by Microsoft Edge (Chromium-based) earlier this month and 2 other CVEs previously fixed in open-source projects. This brings the January total to 122 CVEs.

This is an unusually large update for January. Over the last few years, the average number of patches released in January is about half this volume. We’ll see if this volume continues throughout the year. It’s certainly a change from the smaller releases that ended 2021.

Of the CVEs patched today, nine are rated Critical and 89 are rated Important in severity. A total of five of these bugs came through the ZDI program. Six of these bugs are listed as publicly known at the time of release, but none are listed as under active attack. Update: After the initial release, Microsoft updated CVE-2022-21882 to indicate it is currently under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug in http.sys listed as wormable:

-       CVE-2022-21907 - HTTP Protocol Stack Remote Code Execution Vulnerability
This bug could allow an attacker to gain code execution on an affected system by sending specially crafted packets to a system utilizing the HTTP Protocol Stack (http.sys) to process packets. No user interaction, no privileges required, and an elevated service add up to a wormable bug. And while this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this patch quickly.

-       CVE-2022-21846 - Microsoft Exchange Server Remote Code Execution Vulnerability
Yet another Exchange RCE bug, and another Exchange bug reported by the National Security Agency. This is one of three Exchange RCEs being fixed this month, but this is the only one marked Critical. All are listed as being network adjacent in the CVSS score, so an attacker would need to be tied to the target network somehow. Still, an insider or attacker with a foothold in the target network could use this bug to take over the Exchange server.

-       CVE-2022-21840 - Microsoft Office Remote Code Execution Vulnerability
Most Office-related RCE bugs are Important severity since they require user interaction and often have warning dialogs, too. However, this bug is listed as Critical. That normally means the Preview Pane is an attack vector, but that’s also not the case here. Instead, this bug is likely Critical due to the lack of warning dialogs when opening a specially crafted file. There are also multiple patches to address this bug, so be sure you apply all available patches. Unfortunately, if you’re running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021, you’re out of luck because there are no patches available for these products. Let’s hope Microsoft makes these patches available soon.

-       CVE-2022-21857 - Active Directory Domain Services Elevation of Privilege Vulnerability
This patch fixes a bug that allowed attackers to elevate privileges across an Active Directory trust boundary under certain conditions. Although privilege escalations generally rate an Important severity rating, Microsoft deemed the flaw sufficient enough for a Critical rating. This does require some level of privileges, so again, an insider or other attacker with a foothold in a network could use this for lateral movement and maintaining a presence within an enterprise.

Here’s the full list of CVEs released by Microsoft for January 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-22947 * Open Source Curl Remote Code Execution Vulnerability Critical N/A Yes No RCE
CVE-2021-36976 * Libarchive Remote Code Execution Vulnerability Important N/A Yes No RCE
CVE-2022-21836 Windows Certificate Spoofing Vulnerability Important 7.8 Yes No Spoofing
CVE-2022-21839 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability Important 6.1 Yes No DoS
CVE-2022-21874 Windows Security Center API Remote Code Execution Vulnerability Important 7.8 Yes No RCE
CVE-2022-21919 Windows User Profile Service Elevation of Privilege Vulnerability Important 7 Yes No EoP
CVE-2022-21857 Active Directory Domain Services Elevation of Privilege Vulnerability Critical 8.8 No No EoP
CVE-2022-21912 DirectX Graphics Kernel Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-21898 DirectX Graphics Kernel Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-21917 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-21846 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9 No No RCE
CVE-2022-21840 Microsoft Office Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-21833 Virtual Machine IDE Drive Elevation of Privilege Vulnerability Critical 7.8 No No EoP
CVE-2022-21911 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21869 Clipboard User Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21865 Connected Devices Platform Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21918 DirectX Graphics Kernel File Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-21913 Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass Important 5.3 No No SFB
CVE-2022-21884 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21910 Microsoft Cluster Port Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21835 Microsoft Cryptographic Services Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21871 Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21891 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability Important 7.6 No No XSS
CVE-2022-21970 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.1 No No EoP
CVE-2022-21841 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21855 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2022-21969 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2022-21837 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.3 No No RCE
CVE-2022-21842 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21850 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21851 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21964 Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21922 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21894 Secure Boot Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2022-21877 Storage Spaces Controller Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21870 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21861 Task Flow Data Engine Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21873 Tile Data Repository Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21882 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21887 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21876 Win32k Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21859 Windows Accounts Control Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21860 Windows AppContracts API Server Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21862 Windows Application Model Core API Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21925 Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2022-21858 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21838 Windows Cleanup Manager Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21897 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21906 Windows Defender Application Control Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2022-21921 Windows Defender Credential Guard Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2022-21868 Windows Devices Human Interface Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21852 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21902 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21896 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21872 Windows Event Tracing Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21899 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2022-21903 Windows GDI Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21904 Windows GDI Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2022-21915 Windows GDI+ Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-21880 Windows GDI+ Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2022-21878 Windows Geolocation Service Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21847 Windows Hyper-V Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-21901 Windows Hyper-V Elevation of Privilege Vulnerability Important 9 No No EoP
CVE-2022-21900 Windows Hyper-V Security Feature Bypass Vulnerability Important 4.6 No No SFB
CVE-2022-21905 Windows Hyper-V Security Feature Bypass Vulnerability Important 4.6 No No SFB
CVE-2022-21843 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21883 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21848 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21889 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21890 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21849 Windows IKE Extension Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2022-21908 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21920 Windows Kerberos Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2022-21879 Windows Kernel Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2022-21881 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21888 Windows Modern Execution Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21867 Windows Push Notifications Apps Elevation Of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21885 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21914 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21892 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21958 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21959 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21960 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21961 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21962 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21963 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.4 No No RCE
CVE-2022-21928 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.3 No No RCE
CVE-2022-21863 Windows StateRepository API Server file Elevation of Privilege Vulnerability Important 7 No No RCE
CVE-2022-21875 Windows Storage Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21866 Windows System Launcher Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21864 Windows UI Immersive Server API Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21895 Windows User Profile Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21834 Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21924 Workstation Service Remote Protocol Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2022-0096 * Chromium: CVE-2022-0096 Use after free in Storage Critical N/A No No
CVE-2022-0097 * Chromium: CVE-2022-0097 Inappropriate implementation in DevTools High N/A No No
CVE-2022-0098 * Chromium: CVE-2022-0098 Use after free in Screen Capture High N/A No No
CVE-2022-0099 * Chromium: CVE-2022-0099 Use after free in Sign-in High N/A No No
CVE-2022-0100 * Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API High N/A No No
CVE-2022-0101 * Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks High N/A No No
CVE-2022-0102 * Chromium: CVE-2022-0102 Type Confusion in V8 High N/A No No
CVE-2022-0103 * Chromium: CVE-2022-0103 Use after free in SwiftShader High N/A No No
CVE-2022-0104 * Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE High N/A No No
CVE-2022-0105 * Chromium: CVE-2022-0105 Use after free in PDF High N/A No No
CVE-2022-0106 * Chromium: CVE-2022-0106 Use after free in Autofill High N/A No No
CVE-2022-0107 * Chromium: CVE-2022-0107 Use after free in File Manager API Medium N/A No No
CVE-2022-0108 * Chromium: CVE-2022-0108 Inappropriate implementation in Navigation Medium N/A No No
CVE-2022-0109 * Chromium: CVE-2022-0109 Inappropriate implementation in Autofill Medium N/A No No
CVE-2022-0110 * Chromium: CVE-2022-0110 Incorrect security UI in Autofill Medium N/A No No
CVE-2022-0111 * Chromium: CVE-2022-0111 Inappropriate implementation in Navigation Medium N/A No No
CVE-2022-0112 * Chromium: CVE-2022-0112 Incorrect security UI in Browser UI Medium N/A No No
CVE-2022-0113 * Chromium: CVE-2022-0113 Inappropriate implementation in Blink Medium N/A No No
CVE-2022-0114 * Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial Medium N/A No No
CVE-2022-0115 * Chromium: CVE-2022-0115 Uninitialized Use in File API Medium N/A No No
CVE-2022-0116 * Chromium: CVE-2022-0116 Inappropriate implementation in Compositing Medium N/A No No
CVE-2022-0117 * Chromium: CVE-2022-0117 Policy bypass in Service Workers Low N/A No No
CVE-2022-0118 * Chromium: CVE-2022-0118 Inappropriate implementation in WebShare Low N/A No No
CVE-2022-0120 * Chromium: CVE-2022-0120 Inappropriate implementation in Passwords Low N/A No No

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the remaining Critical-rated patches released this month, two impact DirectX, and one affects HEVC video extensions. Viewing a specially crafted media file could result in code execution. For the HEVC extensions, you’ll need to be connected to the Microsoft Store to receive the update. Otherwise, you’ll need to manually verify the update has been applied. There’s a fix for the Virtual Machine IDE Drive that could allow a privilege escalation, but the complexity is marked high on this bug. Seeing this bug in the wild would likely take quite a bit of work. There’s a patch for the Windows Security Center API. Microsoft doesn’t say how the code execution could occur, and although the is title as remote code execution, they list the attack vector as local. The final Critical-rated bug for January was actually disclosed by HackerOne back in September 2021. This patch includes the latest Curl libraries into Microsoft products. This is why this CVE is listed as publicly known. Similarly, the patch for the Libarchive library was also disclosed in 2021, and the latest version of this library is now being incorporated into Microsoft products.

Moving on to Important-rated patches, there are over 20 that could lead to remote code execution. Eight of these bugs impact the Windows Resilient File System (ReFS), but these require physical access. Microsoft doesn’t always patch bugs that require physical access but getting code execution by just inserting a USB drive is an exception to that rule. There’s also a patch for the Windows Internet Key Exchange (IKE) protocol extension that rates a CVSS of 9.8. According to Microsoft, this bug could allow a remote attacker to “trigger multiple vulnerabilities without being authenticated,” but they don’t specify what vulnerabilities or provide further details. Only systems the IPSec service running are affected by this bug.

There are some code execution bugs in RDP, but these impact the RDP client. The patch for the RDP protocol requires a user to connect to a malicious RDP server. Fortunately, these aren’t as severe as the previously patched BlueKeep RDP bugs. There are a couple of code execution bugs in Office components and the aforementioned Important-rated Exchange bugs. There is an Edge (Chromium) bug getting fixed, and this is separate from the Chromium fixes integrated earlier this month.

There are a whopping 41 patches to correct Elevation of Privilege (EoP) bugs, however, most of these require an attacker to log on to an affected system a run a specially crafted program. Many different Windows components have these EoP bugs, most notably the kernel and kernel-mode drivers. The EoP fixed on Hyper-V is different. In this case, an attacker on a guest OS could potentially interact with processes of another Hyper-V guest hosted on the same Hyper-V host. While not a full guest-to-host escape, that could still be very useful to an adversary.

Moving on to the nine Security Feature Bypass (SFB) patches, some impacted components stand out. Unfortunately, Microsoft provides no information on what feature is being bypassed or how that impacts the security of an enterprise. We can say some important components, like Local Security Authority, Secure Boot Feature, Windows Defender, and Workstation Service all receive updates. The only exception is the two SFB bugs in Hyper-V. For configurations using router guard, packets that normally would be dropped could get processed. This could allow an attacker to bypass set policy and potentially influence router paths.

There are also nine patches fixing Denial-of-Service (DoS) bugs this month. Most of these bugs are found in the Windows IKE Extension, but only systems with the IPSec service running are affected by these bugs.

This month’s release includes six fixes for information disclosure bugs. Most of these only result in leaks consisting of unspecified memory contents. However, the bug in the Remote Desktop Licensing Diagnoser could allow an attacker to recover cleartext passwords from memory.

The January release is rounded out with two spoofing bugs in the Windows Certificate component and Microsoft Dynamics 365 and a cross-site scripting (XSS) bug in the Dynamics 365 Customer Engagement component. The bug in the Windows Certificate component could allow an attacker to bypass Windows Platform Binary Table (WPBT) binary verification by using a small number of compromised certificates. This is also listed as publicly known, but Microsoft gives no indication where it was publicly posted.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on February 8, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The January 2022 Security Update Review

The February 2022 Security Update Review

8 February 2022 at 18:28

It’s the second patch Tuesday of 2022, which means the latest security updates from Adobe and Microsoft are here. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for February 2022

For February, Adobe released five bulletins addressing 17 CVEs in Adobe Illustrator, Creative Cloud Desktop, After Effects, Photoshop, and Premiere Rush. Two of these 17 were reported by ZDI Vulnerability Researcher Mat Powell. The update for Illustrator fixes a total of 13 bugs, the most severe of which could allow arbitrary code execution through either a buffer overflow or an Out-Of-Bounds (OOB) Write. The patch for Creative Cloud Desktop also fixes a single, Critical-rated code execution bug.

The theme of Critical-rated code execution bugs continues with the fix for After Effects. This patch addresses an OOB write bug that exists within the parsing of 3GP files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. The final Critical-rated patch from Adobe this month fixes a buffer overflow in Photoshop that could allow code execution.

The only Moderate-rated patch this month is the update for Premiere Rush. This patch fixes a bug that exists within the parsing of JPEG images. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for February 2022

For February, Microsoft released 51 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure Data Explorer, Kestrel Web Server, Microsoft Edge (Chromium-based), Windows Codecs Library, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office Components, Windows Hyper-V Server, SQL Server, Visual Studio Code, and Microsoft Teams. A total of five of these bugs came through the ZDI program. This is in addition to the 19 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the February total to 70 CVEs.

This volume is in line with February releases from previous years, which (apart from 2020) tend to be around 50 CVEs. What’s more curious about this release is the complete lack of Critical-rated patches. Of the patches released today, 50 are rated Important and one is rated Moderate in severity. It may have happened before, but I can’t find an example of a monthly release from Microsoft that doesn’t include at least one Critical-rated patch. It certainly hasn’t happened in recent memory. Interestingly, Microsoft has chosen to provide some additional explanations of CVSS ratings in this month’s release, but there are still many details about the bugs themselves that are left obscured.

None of the bugs are listed as under active exploit this month, while one is listed as publicly known at the time of release. Last month, Microsoft also initially listed the release as having no active attacks only to revise CVE-2022-21882 two days post release to indicate “Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.” We’ll update this blog should they change their mind this month as well.

Let’s take a closer look at some of the more interesting updates for this month, starting with a significant bug in the Windows DNS Server:

-       CVE-2022-21984 – Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a remote code execution bug in the Microsoft DNS server. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. If you have this setup in your environment, an attacker could completely take over your DNS and execute code with elevated privileges. Since dynamic updates aren’t enabled by default, this doesn’t get a Critical rating. However, if your DNS servers do use dynamic updates, you should treat this bug as Critical.

-       CVE-2022-23280 – Microsoft Outlook for Mac Security Feature Bypass Vulnerability
This Outlook bug could allow images to appear in the Preview Pane automatically, even if this option is disabled. On its own, exploiting this will only expose the target's IP information. However, it’s possible a second bug affecting image rendering could be paired with this bug to allow remote code execution. If you are using Outlook for Mac, you should double-check to ensure your version has been updated to an unaffected version.

-       CVE-2022-21995 – Windows Hyper-V Remote Code Execution Vulnerability
This patch fixes a guest-to-host escape in Hyper-V server. Microsoft marks the CVSS exploit complexity as High here stating an attacker, “must prepare the target environment to improve exploit reliability.” Since this is the case for most exploits, it’s not clear how this vulnerability is different. If you rely on Hyper-V servers in your enterprise, it’s recommended to treat this as a Critical update.

-       CVE-2022-22005 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a bug in SharePoint Server that could allow an authenticated user to execute any arbitrary .NET code on the server under the context and permissions of the service account of SharePoint Web Application. An attacker would need “Manage Lists” permissions to exploit this, by default, authenticated users are able to create their own sites and, in this case, the user will be the owner of this site and will have all necessary permissions. This case came through the ZDI, and we’ll have additional details out about it in the near future.

Here’s the full list of CVEs released by Microsoft for February 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-21989 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2022-21984 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-23280 Microsoft Outlook for Mac Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2022-21995 Windows Hyper-V Remote Code Execution Vulnerability Important 7.9 No No RCE
CVE-2022-22005 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21986 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-23256 Azure Data Explorer Spoofing Vulnerability Important 8.1 No No Spoofing
CVE-2022-21844 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21926 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21927 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21957 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-23271 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-23272 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 8.1 No No EoP
CVE-2022-23273 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-23274 Microsoft Dynamics GP Remote Code Execution Vulnerability Important 8.3 No No RCE
CVE-2022-23269 Microsoft Dynamics GP Spoofing Vulnerability Important 6.9 No No Spoofing
CVE-2022-23262 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2022-23263 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.7 No No EoP
CVE-2022-22716 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-22004 Microsoft Office ClickToRun Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-22003 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23252 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21988 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23255 Microsoft OneDrive for Android Security Feature Bypass Vulnerability Important 5.9 No No SFB
CVE-2022-23254 Microsoft Power BI Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-21968 Microsoft SharePoint Server Security Feature BypassVulnerability Important 4.3 No No SFB
CVE-2022-21987 Microsoft SharePoint Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2022-21965 Microsoft Teams Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-22715 Named Pipe File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21974 Roaming Security Rights Management Services Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23276 SQL Server for Linux Containers Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21991 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2022-22709 VP9 Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21996 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22710 Windows Common Log File System Driver Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-21981 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22000 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21998 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21994 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22712 Windows Hyper-V Denial of Service Vulnerability Important 5.6 No No DoS
CVE-2022-21992 Windows Mobile Device Management Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21997 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-21999 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22717 Windows Print Spooler Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-22718 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22001 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21985 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21971 Windows Runtime Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21993 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2022-22002 Windows User Account Profile Picture Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-23261 Microsoft Edge (Chromium-based) Tampering Vulnerability Moderate 5.3 No No Tampering
CVE-2022-0452 * Chromium: CVE-2022-0452 Use after free in Safe Browsing High N/A No No N/A
CVE-2022-0453 * Chromium: CVE-2022-0453 Use after free in Reader Mode High N/A No No N/A
CVE-2022-0454 * Chromium: CVE-2022-0454 Heap buffer overflow in ANGLE High N/A No No N/A
CVE-2022-0455 * Chromium: CVE-2022-0455 Inappropriate implementation in Full Screen Mode High N/A No No N/A
CVE-2022-0456 * Chromium: CVE-2022-0456 Use after free in Web Search High N/A No No N/A
CVE-2022-0457 * Chromium: CVE-2022-0457 Type Confusion in V8 High N/A No No N/A
CVE-2022-0458 * Chromium: CVE-2022-0458 Use after free in Thumbnail Tab Strip High N/A No No N/A
CVE-2022-0459 * Chromium: CVE-2022-0459 Use after free in Screen Capture High N/A No No N/A
CVE-2022-0460 * Chromium: CVE-2022-0460 Use after free in Window Dialog Medium N/A No No N/A
CVE-2022-0461 * Chromium: CVE-2022-0461 Policy bypass in COOP Medium N/A No No N/A
CVE-2022-0462 * Chromium: CVE-2022-0462 Inappropriate implementation in Scroll Medium N/A No No N/A
CVE-2022-0463 * Chromium: CVE-2022-0463 Use after free in Accessibility Medium N/A No No N/A
CVE-2022-0464 * Chromium: CVE-2022-0464 Use after free in Accessibility Medium N/A No No N/A
CVE-2022-0465 * Chromium: CVE-2022-0465 Use after free in Extensions Medium N/A No No N/A
CVE-2022-0466 * Chromium: CVE-2022-0466 Inappropriate implementation in Extensions Platform Medium N/A No No N/A
CVE-2022-0467 * Chromium: CVE-2022-0467 Inappropriate implementation in Pointer Lock Medium N/A No No N/A
CVE-2022-0468 * Chromium: CVE-2022-0468 Use after free in Payments Medium N/A No No N/A
CVE-2022-0469 * Chromium: CVE-2022-0469 Use after free in Cast Medium N/A No No N/A
CVE-2022-0470 * Chromium: CVE-2022-0470 Out of bounds memory access in V8 Low N/A No No N/A

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the additional remote code execution bugs in this month’s patch release, the updates for HVEC and VP9 video extensions. Microsoft indicates this requires the exploit to be local. However, they also state viewing a specially crafted image file could result in Windows Explorer crashing. If this is the case, it stands to reason the image file could also be hosted on an SMB share, which would make this a remote exploit vector rather than local. The updates for these extensions can be found in the Microsoft Store, so you really only need to verify you have the updated versions unless you are in a disconnected environment.  

In addition to those already mentioned, there are nine additional remote code execution-related patches this month. There’s an update for Roaming Security Rights Management Services, but Microsoft offers no information on how an attacker could exploit this vulnerability. There are also no details for the Windows Runtime or the Mobile Device Management bug. If you’re using Windows for MDM, definitely take this update seriously. There are also a couple of open-and-own Office bugs getting fixed. The RCE bugs are rounded out by updates for Dynamics 365 (on-prem) and Dynamics GP.

Speaking of Dynamics GP, there are three patches fixing elevation of privilege (EoP) bugs in the component. Those are three of the 18 EoP patches in this month’s release. This includes an update for the Windows Kernel that is listed as publicly known. The remaining patches are mostly in other Windows components and require a logged-on user to execute a specially crafted program. The other EoP updates that stand out fix vulnerabilities in the Windows Print Spooler. Ever since PrintNightmare, the print spooler has been an attractive target for attackers and researchers alike. Pay special attention to CVE-2022-21999 since it was reported during the Tianfu Cup. Other bugs associated with this contest have been used in active attacks.

Moving on to the Security Feature Bypass (SFB) updates, there are two in addition to the previously mentioned one in Outlook for Mac. The bug in OneDrive for Android requires physical access to an unlocked phone but could allow an attacker to access OneDrive files while bypassing authentication. Really, if an attacker has access to your unlocked Android, this bug is probably the least of your concerns. The SFB for SharePoint is more severe since it could allow an attacker to bypass the blocking of HTTP requests based on IP range.

There are five patches fixing Denial-of-Service (DoS) bugs in this month’s release, and the one for Microsoft Teams stands out. While Microsoft provides no details about the exploit, it does indicate all versions of Teams need an update, including iOS and Android versions. The DoS in Hyper-V server should also be noted as successful exploitation could affect functionality of a Hyper-V host. The DoS vulnerability in .NET affects applications using the Kestrel web server. If you aren’t familiar with it, Kestrel is a cross-platform server within ASP.NET Core and is enabled by default. If you’re using Kestrel as an Internet-facing server, definitely apply this patch to prevent a DoS while handling certain HTTP/2 and HTTP/3 requests.

The February release contains three patches for spoofing bugs. There’s a patch for Azure Data Explorer. To receive the update, you will need to restart the Kusto.Explorer application. Dynamics GP receives an update here that could almost be considered code execution. While the vulnerability is in the web server, successful exploitation could allow malicious scripts to execute in the user’s browser on the target machine. And while spoofing bugs in SharePoint usually mean some form, the bug getting patched this month is different. An authenticated attacker could manipulate a SharePoint page they control to trick targeted users into sending attacker-controlled requests to the server under the permissions context of the target.

The lone Moderate-rated patch this month addresses a tampering bug in the Edge (Chromium-based) web browser.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on March 8, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The February 2022 Security Update Review

The March 2022 Security Update Review

8 March 2022 at 18:30

It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for March 2022

The Adobe release for March is quite small. This month, Adobe released only three patches addressing six CVEs in Adobe Photoshop, Illustrator, and After Effects. The patch for After Effects is the largest of the three. It fixes four Critical-rated, stacked-based buffer overflows that could result in arbitrary code execution. The fix for Illustrator is also rated Critical. It addresses a single buffer overflow that could lead to arbitrary code execution. Finally, the update for Photoshop fixes a single Important-rated memory leak.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for March 2022

For March, Microsoft released 71 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure Site Recovery, Microsoft Defender for Endpoint and IoT, Intune, Edge (Chromium-based), Windows HTML Platforms, Office and Office Components, Skype for Chrome, .NET and Visual Studio, Windows RDP, SMB Server, and Xbox. This is in addition to the 21 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the March total to 92 CVEs.

Of the 71 CVEs released today, three are rated Critical and 68 are rated Important in severity. A total of seven of these bugs came through the ZDI program. Historically speaking, this is volume is in line with previous March releases. However, the number of Critical-rated patches is again strangely low for this number of bugs. It’s unclear if this low percentage of bugs is just a coincidence or if Microsoft might be evaluating the severity using different calculus than in the past.

None of the bugs are listed as under active exploit this month, while three are listed as publicly known at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with one of the bugs listed as publicly known:

-       CVE-2022-21990 – Remote Desktop Client Remote Code Execution Vulnerability
This client-side bug doesn’t have the same punch as server-side related RDP vulnerabilities, but since it’s listed as publicly known, it makes sense to go ahead and treat this as a Critical-rated bug. If an attacker can lure an affected RDP client to connect to their RDP server, the attacker could trigger code execution on the targeted client. Again, this isn’t as severe as BlueKeep or some of the other RDP server bugs, but it definitely shouldn’t be overlooked.

-       CVE-2022-23277 – Microsoft Exchange Server Remote Code Execution Vulnerability
This Critical-rated bug in Exchange Server was reported by long-time ZDI contributor Markus Wulftange. The vulnerability would allow an authenticated attacker to execute their code with elevated privileges through a network call. This is also listed as low complexity with exploitation more likely, so it would not surprise me to see this bug exploited in the wild soon - despite the authentication requirement. Test and deploy this to your Exchange servers quickly.

-       CVE-2022-24508 – Windows SMBv3 Client/Server Remote Code Execution Vulnerability
This bug could allow an attacker to execute code on Windows 10 version 2004 and newer systems. It’s also reminiscent of CVE-2020-0796 from a couple of years ago. Both also list disabling SMBv3 compression as a workaround for SMB servers, but this doesn’t help clients. In 2020, Microsoft noted SMBv3 compression “is not yet used by Windows or Windows Server and disabling SMB Compression has no negative performance impact.” That’s not in the current advisory, so it’s unclear what disabling this feature will have now. Authentication is required here, but since this affected both clients and servers, an attacker could use this for lateral movement within a network. This is another one I would treat as Critical and mitigate quickly.

-       CVE-2022-21967 – Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability
This appears to be the first security patch impacting Xbox specifically. There was an advisory for an inadvertently disclosed Xbox Live certificate back in 2015, but this seems to be the first security-specific update for the device itself. Microsoft even notes other Windows OSes are not affected by this bug. It’s not clear how an attacker could escalate privileges using this vulnerability, but the Auth Manager component is listed as affected. This service handles interacting with the Xbox Live service. I doubt many enterprises are reliant on Xbox or Xbox Live, but if you are, make sure this patch doesn’t go unnoticed.

Here’s the full list of CVEs released by Microsoft for March 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-24512 .NET and Visual Studio Remote Code Execution Vulnerability Important 6.3 Yes No RCE
CVE-2022-21990 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 Yes No RCE
CVE-2022-24459 Windows Fax and Scan Service Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2022-22006 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-23277 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-24501 VP9 Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-24508 Windows SMBv3 Client/Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21967 Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-24464 .NET and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-24469 Azure Site Recovery Elevation of Privilege Vulnerability Important 8.1 No No EoP
CVE-2022-24506 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-24515 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-24518 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-24519 Azure Site Recovery Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-24467 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24468 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24470 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24471 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24517 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24520 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2020-8927 * Brotli Library Buffer Overflow Vulnerability Important 6.5 No No N/A
CVE-2022-24457 HEIF Image Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-22007 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23301 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24452 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24453 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24456 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21977 Media Foundation Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2022-22010 Media Foundation Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2022-23278 Microsoft Defender for Endpoint Spoofing Vulnerability Important 5.9 No No Spoofing
CVE-2022-23266 Microsoft Defender for IoT Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-23265 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24463 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2022-24465 Microsoft Intune Portal for iOS Security Feature Bypass Vulnerability Important 3.3 No No SFB
CVE-2022-24461 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24509 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24510 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24511 Microsoft Office Word Tampering Vulnerability Important 5.5 No No Tampering
CVE-2022-24462 Microsoft Word Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2022-23282 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23253 Point-to-Point Tunneling Protocol Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-23295 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23300 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23285 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-24503 Remote Desktop Protocol Client Information Disclosure Vulnerability Important 5.4 No No Info
CVE-2022-24522 Skype Extension for Chrome Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2022-24460 Tablet Windows User Interface Application Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-24526 Visual Studio Code Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2022-24451 VP9 Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23283 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-23287 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-24505 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-24507 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24455 Windows CD-ROM Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-23286 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-23281 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-23288 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-23291 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-23294 Windows Event Tracing Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-23293 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24502 Windows HTML Platforms Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2022-21975 Windows Hyper-V Denial of Service Vulnerability Important 4.7 No No DoS
CVE-2022-23290 Windows Inking COM Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-23296 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21973 Windows Media Center Update Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-23297 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-23298 Windows NT OS Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-23299 Windows PDEV Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-23284 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2022-24454 Windows Security Support Provider Interface Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24525 Windows Update Stack Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-0789 * Chromium: Heap buffer overflow in ANGLE High N/A No No RCE
CVE-2022-0797 * Chromium: Out of bounds memory access in Mojo High N/A No No RCE
CVE-2022-0792 * Chromium: Out of bounds read in ANGLE High N/A No No RCE
CVE-2022-0795 * Chromium: Type Confusion in Blink Layout High N/A No No RCE
CVE-2022-0790 * Chromium: Use after free in Cast UI High N/A No No RCE
CVE-2022-0796 * Chromium: Use after free in Media High N/A No No RCE
CVE-2022-0791 * Chromium: Use after free in Omnibox High N/A No No RCE
CVE-2022-0793 * Chromium: Use after free in Views High N/A No No RCE
CVE-2022-0794 * Chromium: Use after free in WebShare High N/A No No RCE
CVE-2022-0800 * Chromium: Heap buffer overflow in Cast UI Medium N/A No No RCE
CVE-2022-0807 * Chromium: Inappropriate implementation in Autofill Medium N/A No No Info
CVE-2022-0802 * Chromium: Inappropriate implementation in Full screen mode Medium N/A No No Info
CVE-2022-0804 * Chromium: Inappropriate implementation in Full screen mode Medium N/A No No Info
CVE-2022-0801 * Chromium: Inappropriate implementation in HTML parser Medium N/A No No Tampering
CVE-2022-0803 * Chromium: Inappropriate implementation in Permissions Medium N/A No No SFB
CVE-2022-0799 * Chromium: Insufficient policy enforcement in Installer Medium N/A No No SFB
CVE-2022-0809 * Chromium: Out of bounds memory access in WebXR Medium N/A No No RCE
CVE-2022-0805 * Chromium: Use after free in Browser Switcher Medium N/A No No RCE
CVE-2022-0808 * Chromium: Use after free in Chrome OS Shell Medium N/A No No RCE
CVE-2022-0798 * Chromium: Use after free in MediaStream Medium N/A No No RCE

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the rest of the March release, the 11 CVEs impacting Azure Site Recovery stand out. For those not familiar with it, Site Recovery is a native disaster recovery as a service (DRaaS). This month’s release includes fixes for five elevation of privilege (EoP) and six remote code execution (RCE) bugs in the platform. Considering everything going on in the world, now is a bad time to have issues with your disaster recovery plans. If you’re using this platform, make sure these patches get installed. If you’re not using this platform, take time to review your disaster recovery plans anyway. It couldn’t hurt.

Besides the Exchange bug already mentioned, the Critical-rated fixes in this release both address bugs in HEVC and VP9 video extensions. These updates can be found in the Microsoft Store. If you aren’t connected to the internet or are in an otherwise disconnected environment, you’ll need to manually apply the patch.

Including those already mentioned, there are a total of 28 RCE fixes released today. There are additional updates for the HEVC video extension component. Again, these fixes are obtained through the Microsoft Store. The raw image extension bugs fall into this class as well. There are three fixes for Visio that were reported by kdot through this ZDI program. These bugs include a type confusion, an untrusted pointer deref, and an Out-Of-Bounds (OOB) Write. In each case, a user must open a specially crafted Visio file to be impacted. One of the other publicly known bugs is an RCE in .NET and Visual Studio. There’s scant information about this bug, but if you are developing apps in .NET or Visual Studio, review it carefully. Since RPC bugs are never out of fashion, there’s a fix for event tracing that could result in code execution through a specially crafted RPC connection. There are several caveats to this one that lower the severity, but don’t remove the risk completely.

Rounding out the RCE bugs is one submitted by an anonymous researcher through the ZDI program impacts Microsoft Defender for IoT. The vulnerability exists within the password change mechanism. It results from the lack of proper validation of a user-supplied string before using it to execute a system call. Defender for IoT also receives a patch for an EoP bug found by ZDI Vulnerability Researcher Simon Zuckerbraun. This bug also occurs within the password change mechanism, but here, the bug is caused by the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root.

Moving on to the other EoP cases, most would require an attacker to log on to a system and run a specially crafted program. Several of these fixes note that the vulnerability is the result of a race condition, making exploitation somewhat unreliable. There are some interesting components receiving fixes for privilege escalations this month, including the FAT file system, the Fax and Scan Service, and the CD-ROM driver. It’s almost retro. Another interesting component is the Windows PDEV, which is a logical representation of a physical device characterized by the type of hardware, logical address, and surfaces that can be supported. ZDI Vulnerability Researcher Lucas Leong reported a Use-After-Free (UAF) bug in the handling of PDEV objects. An attacker could use this to escalate privileges and execute arbitrary code in the context of SYSTEM.

Six of this month’s fixes address information disclosure bugs. For the most part, these only result in leaks consisting of unspecified memory contents. The lone exception is the bug impacting the Skype for Chrome extension. This vulnerability could inadvertently disclose the Skype ID of a target. An attacker could gain access to that ID they could match it within Skype to a name and Avatar of the target user. If you’re using Skype for Chrome, you’ll need to get the update through the Chrome Web Store.

There are four updates to address DoS bugs in this release, and two stand out over the others. The first is a DoS in Hyper-V, which is always inconvenient if you happen to be one of the other guest OSes on that Hyper-V server. The other is a vulnerability in the Point-to-Point Tunneling (PPTP) protocol, which is used in the implementation of virtual private networks (VPN) that allow people to extend their private networks over the Internet via “tunnels”. There are no details about this bug given, but anything that could take down a VPN is unwelcome – especially since so many of us rely on VPNs to work from home (or wherever).

Three different components receive fixes for security feature bypasses (SFB) in this month’s release. The first continues the retro theme by fixing bugs in the Windows HTML platforms, including Internet Explorer and Edge (HTML-Based). Microsoft does not indicate which security feature is bypassed, but considering how pervasive MSHTML continues to be, patching is certainly recommended. Word receives a fix for an SFB bug that could allow specific protections to be bypassed in Protected View. This could potentially result in a user opening a malicious document but not receiving the intended warning dialogs. The final SFB fix applies to the Intune Portal for iOS. An attacker could use this vulnerability to bypass the Intune policy file save location and presumably load their own policy instead.

This month’s release includes three updates for spoofing bugs. The Exchange spoofing bug could allow an authenticated attacker to view file content on the affected server. Microsoft provides little information about the spoofing bugs in Defender Endpoint and Visual Studio other than to say the Defender bug requires knowledge of the target environment and the Visual Studio bug requires a user to open a file.

We wrap up this month’s release with an odd tampering bug in Microsoft Word. Microsoft gives no information on how the vulnerability can be exploited, but they do indicate information from the victim can be sent to the attacker, and that the Preview Pane is an attack vector. It sounds like a specially crafted Word doc can send potentially sensitive information to an attacker when the document is opened or viewed in the Preview Pane. Office for Mac users are out of luck as well, as the patches for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not available yet. It will be interesting to see if additional information is released about this bug in the future.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on April 12, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The March 2022 Security Update Review

The April 2022 Security Update Review

12 April 2022 at 18:08

Another Patch Tuesday is upon, and Adobe and Microsoft have released a bevy of new security updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for April 2022

For April, Adobe released four updates addressing 70 CVEs in Acrobat and Reader, Photoshop, After Effects, and Adobe Commerce. The update for Acrobat and Reader is by far the largest, with 62 CVEs being addressed. A total of 54 of these CVEs were reported through the ZDI program, with ZDI vulnerability analyst Mat Powell responsible for 27 of these. The more severe vulnerabilities being fixed are the Critical-Rated Use-After-Free (UAF) and Out-of-Bounds (OOB) Write bugs. These could allow an attacker to execute code on a target system if they can convince a user to open a specially crafted PDF document. There are 13 CVEs fixed in the patch for Photoshop, and all of these were reported through the ZDI program. All the vulnerabilities addressed by this patch address Critical-rated code execution bugs. Again, an attacker would need to convince a user to open a specially crafted file to gain code execution.

The update for After Effects addresses two Critical-rated CVEs that could allow for code execution. Both bugs are listed as stack-based buffer overflows. Finally, the patch for Adobe Commerce fixes a single, Critical-rated vulnerability. Adobe rates this as a CVSS 9.1, but they also point out authentication would be required to exploit this bug. They also note admin privileges are required, so the high CVSS is somewhat puzzling. Still, if you’re using Commerce, test and deploy this patch as soon as you are able.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for April 2022

This month, Microsoft released 128 new patches addressing CVEs in Microsoft Windows and Windows Components, Microsoft Defender and Defender for Endpoint, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office and Office Components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store, and Windows Print Spooler Components. This is in addition to the 17 CVEs consumed from the Chromium Open-Source Software (OSS) by Microsoft Edge (Chromium-based), which brings the April total to 145 CVEs.

Of the 128 new CVEs released today, 10 are rated Critical, 115 are rated Important, and three are rated Moderate in severity. A total of six of these bugs came through the ZDI program. This large volume of patches hasn’t been seen since the fall of 2020. However, this level is similar to what we saw in the first quarter of last year.

One of the bugs patched is listed as under active exploit this month, and one other is listed as publicly known at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a Critical-rated bug that could prove wormable:

-       CVE-2022-26809 - RPC Runtime Library Remote Code Execution Vulnerability
This bug is rated as a CVSS 9.8, and the exploit index notes exploitation is more likely. The vulnerability could allow a remote attacker to executed code at high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached. However, the static port used here (TCP port 135) is typically blocked at the network perimeter. Still, this bug could be used for lateral movement by an attacker. Definitely test and deploy this one quickly.

-       CVE-2022-24491/24497 – Windows Network File System Remote Code Execution Vulnerability
Speaking of nearly wormable bugs, these two NFS vulnerabilities also rate a 9.8 CVSS and are listed as exploitation more likely. On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges and without user interaction. Again, that adds up to a wormable bug – at least between NFS servers. Similar to RPC, this is often blocked at the network perimeter. However, Microsoft does provide guidance on how the RPC port multiplexer (port 2049) “is firewall-friendly and simplifies deployment of NFS.” Check your installations and roll out these patches rapidly.

-       CVE-2022-26815 - Windows DNS Server Remote Code Execution Vulnerability
This vulnerability is the most severe of the 18(!) DNS Server bugs receiving patches this month. This bug is also very similar to one patched back in February, which makes one wonder if this bug is the result of a failed patch. There are a couple of important mitigations to point out here. The first is that dynamic updates must be enabled for a server to be affected by this bug. The CVSS also lists some level of privileges to exploit. Still, any chance of an attacker getting RCE on a DNS server is one too many, so get your DNS servers patched.

-       CVE-2022-26904 - Windows User Profile Service Elevation of Privilege Vulnerability
This is one of the publicly known bugs patched this month, and not only is PoC out there for it, there’s a Metasploit module as well. This privilege escalation vulnerability allows an attacker to gain code execution at SYSTEM level on affected systems. They would, of course, need some level privileges before they could escalate. That’s why these types of bugs are often paired with code execution bugs like the ones in Adobe Reader (mentioned above) to completely take over a system.

Here’s the full list of CVEs released by Microsoft for April 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-24521 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2022-26904 Windows User Profile Service Elevation of Privilege Vulnerability Important 7 Yes No EoP
CVE-2022-23259 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-26809 RPC Runtime Library Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-22008 Windows Hyper-V Remote Code Execution Vulnerability Critical 7.7 No No RCE
CVE-2022-23257 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.6 No No RCE
CVE-2022-24537 Windows Hyper-V Remote Code Execution Vulnerability Critical 7.7 No No RCE
CVE-2022-26919 Windows LDAP Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-24491 Windows Network File System Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-24497 Windows Network File System Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-24541 Windows Server Service Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-24500 Windows SMB Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-26832 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-26907 Azure SDK for .NET Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2022-26896 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-26897 Azure Site Recovery Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-26898 Azure Site Recovery Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-24489 Cluster Client Failover (CCF) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24479 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26830 DiskUsage.exe Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-24767 GitHub: Git for Windows' uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account Important Unknown No No EoP
CVE-2022-24765 GitHub: Uncontrolled search for the Git directory in Git for Windows Important Unknown No No EoP
CVE-2022-24532 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24496 Local Security Authority (LSA) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24548 Microsoft Defender Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-24475 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 8.3 No No EoP
CVE-2022-26891 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 8.3 No No EoP
CVE-2022-26894 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 8.3 No No EoP
CVE-2022-26895 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 8.3 No No EoP
CVE-2022-26900 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 8.3 No No EoP
CVE-2022-26908 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 8.3 No No EoP
CVE-2022-24473 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-26901 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-26924 YARP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-24493 Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-23292 Microsoft Power BI Spoofing Vulnerability Important 7.1 No No Spoofing
CVE-2022-24472 Microsoft SharePoint Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2022-26788 PowerShell Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24533 Remote Desktop Protocol Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2022-24492 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-24528 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-26910 Skype for Business and Lync Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2022-26911 Skype for Business Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-26921 Visual Studio Code Elevation of Privilege Vulnerability Important Unknown No No EoP
CVE-2022-24513 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24485 Win32 File Enumeration Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-21983 Win32 Stream Enumeration Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-24534 Win32 Stream Enumeration Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-26914 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24482 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-24540 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-24494 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24549 Windows AppX Package Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26828 Windows Bluetooth Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-24484 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-24538 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-26784 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-24481 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24488 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24547 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24495 Windows Direct Show - Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2022-26816 Windows DNS Server Information Disclosure Vulnerability Important 4.9 No No Info
CVE-2022-24536 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-26811 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-26812 Windows DNS Server Remote Code Execution Vulnerability Important 6.7 No No RCE
CVE-2022-26813 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-26814 Windows DNS Server Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-26815 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-26817 Windows DNS Server Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-26818 Windows DNS Server Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-26819 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2022-26820 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2022-26821 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2022-26822 Windows DNS Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2022-26823 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-26824 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-26825 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-26826 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-26829 Windows DNS Server Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-24546 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24527 Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26916 Windows Fax Compose Form Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-26917 Windows Fax Compose Form Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-26918 Windows Fax Compose Form Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-26808 Windows File Explorer Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-26810 Windows File Server Resource Management Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26827 Windows File Server Resource Management Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-26920 Windows Graphics Component Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-26903 Windows Graphics Component Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23268 Windows Hyper-V Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-22009 Windows Hyper-V Remote Code Execution Vulnerability Important 7.7 No No RCE
CVE-2022-24490 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability Important 8.1 No No Info
CVE-2022-24539 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability Important 8.1 No No Info
CVE-2022-26783 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-26785 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-24499 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24530 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24498 Windows iSCSI Target Service Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-24486 Windows Kerberos Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24544 Windows Kerberos Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24545 Windows Kerberos Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2022-24483 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-26831 Windows LDAP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-24487 Windows Local Security Authority (LSA) Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-26786 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26787 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26789 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26790 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26791 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26792 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26793 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26794 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26795 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26796 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26797 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26798 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26801 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26802 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26803 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26915 Windows Secure Channel Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-24550 Windows Telephony Server Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24543 Windows Upgrade Assistant Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-24474 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-24542 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26807 Windows Work Folder Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-26909 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Moderate 8.3 No No EoP
CVE-2022-26912 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Moderate 8.3 No No EoP
CVE-2022-24523 Microsoft Edge (Chromium-based) Spoofing Vulnerability Moderate 4.3 No No EoP
CVE-2022-1129 * Chromium: Inappropriate implementation in Full Screen Mode High N/A No No RCE
CVE-2022-1128 * Chromium: Inappropriate implementation in Web Share API High N/A No No RCE
CVE-2022-1130 * Chromium: Insufficient validation of untrusted input in WebOTP High N/A No No RCE
CVE-2022-1134 * Chromium: Type Confusion in V8 High N/A No No RCE
CVE-2022-1232 * Chromium: Type Confusion in V8 High N/A No No RCE
CVE-2022-1131 * Chromium: Use after free in Cast UI High N/A No No RCE
CVE-2022-1125 * Chromium: Use after free in Portals High N/A No No RCE
CVE-2022-1127 * Chromium: Use after free in QR Code Generator High N/A No No RCE
CVE-2022-1133 * Chromium: Use after free in WebRTC High N/A No No RCE
CVE-2022-1143 * Chromium: Heap buffer overflow in WebUI Medium N/A No No RCE
CVE-2022-1139 * Chromium: Inappropriate implementation in Background Fetch API Medium N/A No No N/A
CVE-2022-1137 * Chromium: Inappropriate implementation in Extensions Medium N/A No No N/A
CVE-2022-1138 * Chromium: Inappropriate implementation in Web Cursor Medium N/A No No N/A
CVE-2022-1145 * Chromium: Use after free in Extensions Medium N/A No No RCE
CVE-2022-1135 * Chromium: Use after free in Shopping Cart Medium N/A No No RCE
CVE-2022-1136 * Chromium: Use after free in Tab Strip Medium N/A No No RCE
CVE-2022-1146 * Chromium: Inappropriate implementation in Resource Timing Low N/A No No EoP

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

We should also call attention CVE-2022-24521, which is a bug in the Windows Common Log File System Driver and listed as under active attack. Since this vulnerability only allows a privilege escalation, it is likely paired with a separate code execution bug. We should also point out that this was reported by the National Security Agency. It’s not stated how widely the exploit is being used in the wild, but it’s likely still targeted at this point and not broadly available. Go patch your systems before that situation changes.

Looking at the remaining Critical-rated bugs patched this month, there are three RCE vulnerabilities impacted the Hyper-V server. In these cases, someone on a guest OS could gain code execution on the underlying host OS. There’s a bug in the LDAP service that’s remote and does not require user interaction. However, to be affected, the default setting for MaxReceiveBuffer LDAP setting must be changed. This isn’t something that’s commonly tweaked, but if your environment has this setting, pay attention to this one. There are Critical patches for SMB and the Server service. In both cases, a user must connect to a malicious share, which would typically require some form of social engineering – like a link in an email or instant message. This is yet another port (TCP 445) that should be blocked at the perimeter. Finally, there’s an update for Microsoft Dynamics 365 (on prem). This vulnerability requires a user to run a specially crafted trusted solution package to execute arbitrary SQL commands. This would allow an attacker to escalate and execute commands with the privileges of the db_owner.

Moving on to the Important-rated patches, the first that stand out are the bunches of fixes for some all too familiar components. We’ve already mentioned the 18 fixes for the DNS Server component. Most of these have multiple mitigations, but many could allow remote code execution. There’s one info disclosure bug thrown in there for good measure. Despite this component being around for years, it seems there are still bugs to find. There are also 15 patches for the Print Spooler this month. Ever since PrintNightmare last year, print spooler bugs seem to just keep coming. It makes sense as the printing system is complex and offers attackers a broad attack surface. Let’s hope these patches don’t cause the types of problems introduced by some the other printer-related patches. And when it comes to large groups of patches, there are a mountain of CVEs affecting the Edge (Chromium-based) browser as well. Most of these bugs were patched by Google and consumed by Edge earlier this month. However, this demonstrates the risk of everyone relying on the same browser platform. A bug in one is now shared by many.  

In total, there are 47 patches to correct RCE bugs in this month’s patch. Beyond those already mentioned, there’s yet another RDP client bug that would allow code execution if a user connected to a malicious RDP server. If that sounds familiar, there was a similar bug last month (and more going back months prior). There are a few open-and-own bug in Office components, most notably Excel. The chances of people applying patches to Excel before April 15 seem low, so let’s hope these bugs don’t get exploited. There are a couple of intriguing bugs affecting Win32 file enumeration, although these also require a user to connect to a malicious server or share. There hasn’t been much research on this component, so it will be interesting to see if further bugs are found. Finally, there’s an RCE in Kerberos, but to be affected, the system needs Restricted Admin or Windows Defender Remote Credential Guard enabled on a box with Remote Desktop Connections configured. It’s not clear how common this configuration is, but you should check your systems and apply the update as needed.

The April release includes 59 patches to address Elevation of Privilege (EoP) bugs this month. For the most part, these are in Windows components and would need to be paired with an RCE to allow an attacker to take over a system. A few do stand out. The first is a vulnerability in the Windows Telephony Server that was reported by ZDI vulnerability researcher Simon Zuckerbraun. This flaw exists within the CreateObjectHandler COM object. Crafted method invocations on this object can trigger the deserialization of untrusted data. There are also a pair of bugs in Azure Site Recovery that should be called out as well. Don’t let the admin credential requirement fool you. This bug applies to the VMWare-to-Azure scenario, and administrators will need to upgrade to the latest version to mitigate these vulns.

There are 10 fixes address that address information disclosure bugs. For the most part, these only result in leaks consisting of unspecified memory contents. The lone exception is the bug impacting the Skype for Business. This vulnerability could inadvertently disclose file content to an attacker, but Microsoft doesn’t specific if any file content can be exposed or if just files in specific locations.

April brings eight updates to address DoS bugs, and a few stand out over the others. There’s a DoS in Microsoft Defender, but Microsoft provides no details. Another is a DoS bug in Hyper-V, which is always inconvenient if you happen to be one of the other guest OSes on that Hyper-V server. There are a trio of DoS vulnerabilities in the Windows Cluster Shared Volume (CSV) component, but again, Microsoft provides not details on how the DoS manifests. There are also no details provided about the DoS in Windows Secure Channel, but considering how much relies on schannel these days, definitely don’t take this update lightly.

This month’s update is rounded out by three updates addressing spoofing bugs. The spoofing bug in SharePoint could allow an authenticated user to send malicious content in SIP Address field. This would allow the user to have access to content that is otherwise not authorized. The spoofing vulnerability in Skype for Business and Lync could expose IP addresses or port numbers to an attacker. Finally, the patch for Power BI requires multiple uses hitting the gateway at the same time. While this can likely be scripted, it does increase the attack complexity.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on May 10, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The April 2022 Security Update Review

Pwn2Own Miami 2022 Schedule

18 April 2022 at 23:14

¡Bienvenidos de nuevo a Miami!

Welcome to Pwn2Own Miami 2022! This year’s ICS-focused event promises to be three days of great research and exploits, as we have 32 total entries from 11 contestants. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here.

The complete schedule for the contest is below (all times Eastern [GMT -4:00]).

Note: All times subject to change - You can see the results and live updates here once they become available. Entries marked with a 📷 icon will be live streamed on YouTube, Twitch, and Twitter.

Tuesday, April 19

09:30 - 20urdjk targeting Unified Automation C++ Demo Server with a DoS in the OPC UA Server category

10:30 - @_s_n_t from @pentestltd targeting Inductive Automation Ignition with an RCE in the Control Server category

📷 11:30 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting Iconics Genesis64 with an RCE in the Control Server category

11:30: Or Peles, Omer Kaspi and Uriya Yavnieli from JFrog Security Research targeting the Unified Automation C++ Demo Server with a DoS in the OPC UA Server category

13:00 - Flashback Team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) targeting AVEVA Edge with an RCE in the Human Machine Interface category

13:00 - Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) targeting Inductive Automation Ignition with an RCE in the Control Server category

📷 14:00 - Axel '0vercl0k' Souchet of https://doar-e.github.io targeting Iconics Genesis64 with an RCE in the Control Server category

14:00 - Claroty Research targeting the Prosys OPC UA SDK for Java with a DoS in the OPC UA Server category

15:00 - Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) targeting AVEVA Edge with an RCE in the Human Machine Interface category

15:00 - 20urdjk targeting Inductive Automation Ignition with an RCE in the Control Server category

16:00 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting Triangle Microworks SCADA Data Gateway with an RCE in the Data Gateway category

16:00 - Claroty Research (@claroty) targeting Iconics Genesis64 with an RCE in the Control Server category

📷 17:00 - Flashback Team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) targeting Inductive Automation Ignition with an RCE in the Control Server category

18:00 - Claroty Research (@claroty) targeting the OPC Foundation OPC UA .NET Standard with a DoS in the OPC UA Server category

18:00 - Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) targeting Iconics Genesis64 with an RCE in the Control Server category

19:00 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting AVEVA Edge with an RCE in the Human Machine Interface category

Wednesday, April 20

09:30 - Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) targeting the Unified Automation C++ Demo Server with a DoS in the OPC UA Server category

10:30 - Piotr Bazydło (@chudyPB) targeting Inductive Automation Ignition with an RCE in the Control Server category

11:30 - Or Peles, Omer Kaspi and Uriya Yavnieli from JFrog Security Research targeting the OPC Foundation OPC UA .NET Standard with an DoS in the OPC UA Server category

11:30 - Ben McBride (@bdmcbri) targeting Iconics Genesis64 with an RCE in the Control Server category

12:30 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting Inductive Automation Ignition with an RCE in the Control Server category

12:30 - Claroty Research (@claroty) targeting AVEVA Edge with an RCE in the Human Machine Interface category

📷 13:30 - Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) targeting the OPC Foundation OPC UA .NET Standard with a Bypass of the Trusted Application Check in the OPC UA Server category

13:30 - Piotr Bazydło (@chudypb) targeting Iconics Genesis64 with an RCE in the Control Server category

14:30 - Christopher Hernandez targeting AVEVA Edge with an RCE in the Human Machine Interface category

15:30 - Claroty Research (@claroty) targeting Unified Automation C++ Demo Server with a DoS in the OPC UA Server category

15:30 - Flashback Team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) targeting Iconics Genesis64 with an RCE in the Control Server category

16:30 - Piotr Bazydło (@chudypb) targeting AVEVA Edge with an RCE in the Human Machine Interface category

📷 17:20 - Claroty Research (@claroty) targeting Kepware KEPServerEx with an RCE in the Data Gateway category

Thursday, April 21

09:30 - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) targeting Softing Secure Integration Server with an RCE in the OPC UA Server category

10:30 - Flashback Team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) targeting Softing Secure Integration Server with an RCE in the OPC UA Server category

11:30 - Claroty Research (@claroty) targeting the Softing Secure Integration Server with a DoS in the OPC UA Server category

We’ll be posting updates on our Twitter page, and look for live video updates on Twitter as well. We wish all contestants good luck, and may all your exploits be unique and effective.

Pwn2Own Miami 2022 Schedule

Pwn2Own Miami 2022 Results

19 April 2022 at 16:55

Pwn2Own Miami for 2022 has wrapped up, and it was an amazing three days of competition. In total, we awarded $400,000 for 26 unique 0-days (plus a few bug collisions). With 90 points accumulated over three days, the team of Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) have won Master of Pwn! You can see all of the points and full results from all entries below.

Daan Keuper (center left) and Thijs Alkemade receive their Master of Pwn jackets and trophy from ZDI’s Dustin Childs (far left) and ZDI Director Brian Gorenc

Thanks again to all of the competitors who participated. We couldn’t have a contest without them. Thanks also to the participating vendors for their cooperation and for providing fixes for the bugs disclosed throughout the contest. As a reminder, vendors have 120 days to produce a fix for all vulnerabilities reported.

Jump to Day One results; Jump to Day Two results; Jump to Day Three results

Final Master of Pwn standings

Day One - April 19, 2022

SUCCESS - 20urdjk was able to execute their DoS attack against Unified Automation C++ Demo Server. They earn $5,000 and 5 Master of Pwn points.

SUCCESS - Sam Thomas (@_s_n_t) from @pentestltd combined an auth bypass and a deserialization bug to get code execution. They win $20,000 and 20 points towards Master of Pwn.

SUCCESS - Or Peles, Omer Kaspi and Uriya Yavnieli from JFrog Security Research leveraged a Use-After-Free (UAF) bug to create a DoS on the Unified Automation C++ Demo Server. They win $5,000 and 5 Master of Pwn points.

SUCCESS - After a slight logistical delay, Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) used a deserialization bug to get their code executing on #Iconics Genesis64. They earn $20,000 and 20 Master of Pwn points.

SUCCESS - Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) used a missing authentication for critical function vuln to execute code on Inductive Automation Ignition. They win $20,000 and 20 Master of Pwn points.

SUCCESS - Flashback Team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) used an Uncontrolled Search Path bug in AVEVA Edge to execute their code. In doing so, they win $20,000 and 20 points towards Master of Pwn.

SUCCESS - The Claroty Research (@claroty) team of Noam Moshe, Vera Mens, Amir Preminger, Uri Katz, and Sharon Brizinov used a resource exhaustion bug to execute their DoS on the Prosys OPC UA SDK for Java. This wins them $5,000 and 5 Master of Pwn points.

SUCCESS - Axel '0vercl0k' Souchet of https://doar-e.github.io used a double free bug to execute his code on Iconics Genesis64. He wins $20,000 and 20 Master of Pwn points. You can watch a replay of this attempt here.

SUCCESS - Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) used an uncontrolled search path vulnerability to get RCE in AVEVA Edge. They win $20,000 and 20 Master of Pwn points.

SUCCESS - 20urdjk used a file upload vulnerability on Inductive Automation Ignition to get RCE. He wins $20,000 and 20 more points towards Master of Pwn. His contest total is now $25,000 and 25 points.

SUCCESS - The Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) used a pair of bugs, including a directory traversal, to get code execution on Triangle Microworks SCADA Data Gateway. The win another $20,000 and 20 more Master of Pwn points.

BUG COLLISION - While the Claroty Research (@claroty) team of Noam Moshe, Vera Mens, Amir Preminger, Uri Katz, and Sharon Brizinov successfully demonstrated RCE against Iconics Genesis64, the bug used was one we already knew about. They still win $5,000 and 5 Master of Pwn points.

BUG COLLISION - The Flashback Team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) were able to get code execution on Inductive Automation Ignition, but the bug they used was previously known. They still win $5,000 and 5 Master of Pwn points.

BUG COLLISION - Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) successfully popped calc, but the bug they used had been disclosed earlier in the competition. They still win $5,000 and 5 Master of Pwn points.

SUCCESS - The Claroty Research (@claroty) team of Noam Moshe, Vera Mens, Amir Preminger, Uri Katz, and Sharon Brizinov used a resource exhaustion bug to perform a DoS on the OPC Foundation OPC UA .NET Standard. They earn $5,000 and 5 Master of Pwn points.

SUCCESS - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) end Day One of Pwn2Own Miami 2022 by using a deserialization bug to execute code on AVEVA Edge. They win another $20,000 and 20 more Master of Pwn points. Their Day One total is $60,000 and 60 points.

Day Two - April 20, 2022

SUCCESS - Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) used an infinite loop condition to create a DoS against the Unified Automation C++ Demo Server. They earn $5,000 and 5 points towards Master of Pwn.

Thijs Alkemade (left) and Daan Keuper from Computest Sector 7 watch their exploit run

SUCCESS - Piotr Bazydło (@chudyPB) used a deserialization bug to exploit Inductive Automation Ignition and execute his code on the system. He earns $20,000 and 20 Master of Pwn points.

SUCCESS - Ben McBride (@bdmcbri) used an exposed dangerous function bug to get RCE on Iconics Genesis64. He earns himself $20,000 and 20 Master of Pwn points.

SUCCESS - Or Peles, Omer Kaspi and Uriya Yavnieli from JFrog Security Research used a stack exhaustion bug to perform a DoS on the OPC Foundation OPC UA .NET Standard. They earn another $5,000 and 5 more Master of Pwn points.

BUG COLLISION - The Claroty Research (@claroty) team of Noam Moshe, Vera Mens, Amir Preminger, Uri Katz, and Sharon Brizinov did achieve RCE against AVEVA Edge, however the bug they used had been seen previously in the contest. They still earn $5,000 and 5 more Master of Pwn points.

ZDI analyst Peter Girnus (left) confers with Sharon Brizinov of the Claroty Research team

FAILURE - Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) were unable to get their exploit of Inductive Automation Ignition working within the time allotted.

The Incite Team of Chris Anastasio (far left) and Steve Seeley watch their attempt as ZDI analysts Michel DePlante and Joshua Smith observe.

BUG COLLISION - Piotr Bazydło (@chudyPB) was able to get RCE on Iconics Genesis64, however the bug he used had been previously seen. He still earns $5,000 and 5 Master of Pwn points.

Piotr Bazydło participates remotely as he discusses his exploit with ZDI analyst Tony Fuller

SUCCESS - Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) used one of the more interesting bugs we've ever seen at a Pwn2Own to bypass the trusted application check on the OPC Foundation OPC UA .NET Standard. The earn $40,000 and 40 Master of Pwn points. Their contest total is now at $90,000 with a commanding lead in Master of Pwn.

Thijs Alkemade (left) and Daan Keuper of Computest Sector 7 review their exploit as ZDI analyst Mat Powell watches the results.

BUG COLLISION - While Christopher Hernandez (@piffd0s) was able to show his RCE on AVEVA Edge, the bug he used was previous disclosed. He still earns $5,000 and 5 Master of Pwn points.

FAILURE - The Claroty Research (@claroty) team of Noam Moshe, Vera Mens, Amir Preminger, Uri Katz, and Sharon Brizinov were unable to get their DoS exploit of the Unified Automation C++ Demo Server working within the time allotted.

BUG COLLISION - The Flashback Team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) did demonstrate their RCE on Iconics Genesis64, the bug used had been previously disclosed. They still win $5,000 and 5 Master of Pwn points.

Radek Domanski (left) and Pedro Ribeiro watch their exploit as ZDI members Tony Fuller, Brian Gorenc, and Bobby Gould observe

SUCCESS - Piotr Bazydło (@chudyPB) used an untrusted search path bug to get code execution on AVEVA Edge. He wins another $20,000 and 20 Master of Pwn points. That brings his contest total to $45,000.

SUCCESS - The Claroty Research (@claroty) team of Noam Moshe, Vera Mens, Amir Preminger, Uri Katz, and Sharon Brizinov needed a little time, but they did get their amazing buffer overrun chain to achieve code execution against Kepware KEPServerEx. They earned $20,000 and 20 Master of Pwn points.

Uri Katz (left) and Sharon Brizinov of Claroty Research work with ZDI analysts Michel DePlante and Tony Fuller to prepare their exploit

Day Three - April 21, 2022

SUCCESS - The Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) used a pair of bugs, including a directory traversal, to exploit the Softing Secure Integration server and run their code. They earn $20K and 20 Master of Pwn points. That brings their conference total to $80,000.

SUCCESS/BUG COLLISION - The Flashback Team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) combined 3 bugs to get RCE on the Softing Secure Integration Server, but two were previously known. Their exploit chain earned them $10,000 and 10 Master of Pwn points. They end the contest with $40,000 total.

SUCCESS - The Claroty Research (@claroty) team of Noam Moshe, Vera Mens, Amir Preminger, Uri Katz, and Sharon Brizinov used a null pointer deref to perform their DoS on the Softing Secure Integration Server. They earn $5,000 and 5 Master of Pwn points, which brings their contest total to $45,000.

Pwn2Own Miami 2022 Results

What to Expect when Exploiting: A Guide to Pwn2Own Participation

So you’ve heard of Pwn2Own and think you are up to the challenge of competing in the world’s most prestigious hacking competition. Great! We would love to have you! However, there are a few things you should know before we get started. With Pwn2Own Vancouver just around the corner, here are 10 things you need to know before participating in Pwn2Own.

1.     You need to register before the contest.

We try to make this as apparent as possible in the rules, but we still have people walk into the room on the first day of the contest hoping to participate. There are a lot of logistics around Pwn2Own, so we need everyone to complete their registration before the contest starts. We can’t support anyone who wants to join on the first day of the competition.

2.     You need to answer the vetting email.

Again, the logistics of running the Pwn2Own competition can be daunting. One way we prepare is by vetting all entries before registration closes. We need to understand the nature of your exploit to ensure it fits within the rules and to ensure we have everything we need on hand to run the attempt. For example, we need to know how you plan on demonstrating if the exploit is successful. If you answer, “Our exploit will provide a root shell when it has succeeded” – we know you have a solid plan and that it is within the rules. If you tell us you need to start as an admin user and require four reboots, your entry is unlikely to qualify. We’ll also ask for things like other user interactions or the need for a Man-in-the-Middle (MitM). These could disqualify the entry – or it could be fine. It depends on the target and details, which is why we want to know before the competition. It’s not fair to any of the contestants to have them think their exploit is a winner just to be disqualified during the contest.

3.     What should we call you?

We know people enter Pwn2Own to win cash and prizes, but they want recognition, too. We’re more than happy to include your Twitter handle, your company name, or just about anything else. Just let us know. We try to pre-stage a lot of our communications, so an omission or misspelling could take a bit to get fixed, and we want to give contestants the attention they deserve. You’d be surprised how many people wait until during or after the event to clarify how they wish to be mentioned.

4.     Will you be participating locally or remotely?

This is a newer question but opening up the contest to remote participation has allowed many to participate that otherwise would not. However, remote contestants have a few extra hurdles the on-site participants do not. For remote participants, all artifacts must be submitted to the ZDI prior to registration closing. This includes things like the white paper, the exploit, and any further details needed for the entry. Contestants competing in person have until the contest begins to have these deliverables ready.

5.     Are you aware a white paper is required for each entry?

This is one aspect that many don’t realize. Each entry in Pwn2Own needs an accompanying white paper describing the vulnerabilities used during the attempt. These white papers are critical in the judging of the competition, especially if exploits from different contestants seem similar. For example, if two groups both use a use-after-free bug against a target, is it the same bug? Maybe. Maybe not. A clearly written white paper will help us understand your research and identify whether it is unique or a bug collision. It also helps the vendor pinpoint the exact place to look at when they start working on the fix.

6.     Ask questions before the competition.

There can be a lot of nuances in exploiting targets at Pwn2Own. How will we judge certain scenarios? How will the targets be configured? Does this type of exploit qualify for this bonus? Is the target in this configuration or that configuration? Is this software completely in the default configuration, or is this commonly applied setting used? There are a lot of very reasonable questions to ask before the contest, and we try to answer every one of them the best we can. If you are thinking about participating but have a specific configuration or rule-related questions, please e-mail us. Questions asked over Twitter or other means may not be answered in a timely manner. It might seem archaic to some, but e-mail makes it easier to track inquiries and ensure they get responses.

7.     Be prepared for things to go wrong.

Five minutes seems like plenty of time – until you’re on stage at Pwn2Own and there’s a clock counting down. If your first attempt fails, do you have a plan? What are you going to check? Can you adjust your exploit in a meaningful way within the allotted time? Certain types of exploits work better at Pwn2Own than others. For example, timing attacks and race conditions might not be the best choice to use at Pwn2Own. Yes, your exploit may work 100% of the time before you arrive at the contest, but what if it doesn’t when you’re on stage? Make a plan B, and probably a plan C and D as well.

8.     Are you participating as an individual, a part of a team, or representing a company?

While we do want maximum participation in each contest, we also need to place some restrictions on how that participation occurs. For example, if you are representing a company, you can’t also participate as an individual. If you are a part of a small team, you can’t also represent a company. This restriction helps keep the contest fair to everyone involved and prevents bug sharing meant to skew the overall results.

9.     When you arrive at the contest, take a minute to confirm the target versions.

Before the contest begins – even before we do the drawing for order – we allow contestants to verify configurations and software versions of the targets. We always use the latest and greatest versions of available software as Pwn2Own targets, and vendors are known to release patches right before the competition in a last-ditch attempt to thwart contestants. It’s a good idea to take a minute and double-check the versions in the contest are the same versions you were testing back home. We will communicate the versions before the contest, so you will know what to target.

10.  Rub a rabbit’s foot, grab a four-leafed clover, or do whatever else brings you luck.

Thanks to the drawing for order at the beginning of each contest, there is a degree of randomness to the competition. You could end up with a great spot in the schedule, or you could end up late in the contest when the chances for bug collisions are higher. But you can’t rely on luck, either. Some teams will just move on to a new target as soon as they find a bug to try to get as many entries in as possible and hope for a good draw - even if their bugs are low-hanging fruit. However, the teams that really want to compete for Master of Pwn spend a lot of time going deep and finding bugs other teams may miss. Pwn2Own is certainly a competition of skill but having a little luck (at least good luck) never hurts either.

Of course, there’s a lot more to participating in Pwn2Own than just these 10 things, but these will definitely help you prepare for the competition and, hopefully, increase your chances of winning. We really do root for all of the contestants, and we want to do all we can to increase your chances of success. Still, we need to adjudicate the contest fairly for all competitors. If you are on the fence about participating in Pwn2Own, I hope this guidance helps you find the right path to joining us. We celebrate the 15th anniversary of the contest this year in Vancouver, and we’d love to see you there.

What to Expect when Exploiting: A Guide to Pwn2Own Participation

The May 2022 Security Update Review

10 May 2022 at 17:29

It’s the fifth second Tuesday of 2022, which also means it’s the also the fifth Patch Tuesday of the year, and it brings with it the latest security updates from Adobe and Microsoft. This is also the last release before Pwn2Own Vancouver, which means multiple participants will be holding their breath to see if their exploits still work or were patched out. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for May 2022

For May, Adobe released five bulletins addressing 18 CVEs in Adobe CloudFusion, InCopy, Framemaker, InDesign, and Adobe Character Animator. A total of 17 of these CVEs were reported by ZDI vulnerability researcher Mat Powell. The largest of these patches is the fix for Framemaker with 10 CVEs in total. Nine of these are Critical-rated bugs that could lead to code execution, mostly due to Out-of-Bounds (OOB) Write vulnerabilities. The patch for InDesign addresses three Critical-rated bugs that could lead to code execution. Two of these are due to OOB Writes while one is an OOB Read. The patch for InCopy also fixes three Critical-rated code execution bugs. In this case, it’s two OOB Writes plus a Use-After-Free (UAF). The patch for Character Animator fixes a single, Critical-rated OOB Write code execution bug. Finally, the ColdFusion patch corrects an Important-rated reflected cross-site scripting (XSS) bug.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes all of these updates as priority 3.

Microsoft Patches for May 2022

For May, Microsoft released 74 new patches addressing CVEs in Microsoft Windows and Windows Components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office Components, Windows Hyper-V, Windows Authentication Methods, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS, and Windows Point-to-Point Tunneling Protocol. This is in addition to the 36 CVEs patched by Microsoft Edge (Chromium-based) in late April.

Of the 74 CVEs released today, seven are rated Critical, 66 are rated Important, and one is rated Low in severity. A total of seven of these bugs came through the ZDI program. Historically speaking, this volume is in line with May releases in the past, with 19 more than May 2021, but 5 less than May 2019. The entire 2020 release volume was somewhat of an anomaly, so comparisons there aren’t as useful.

One of the bugs released today is listed as publicly known and under active attack, while two others are listed as publicly known at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the vulnerability currently being exploited:

-       CVE-2022-26925 – Windows LSA Spoofing Vulnerability
This complex-sounding vulnerability could allow an unauthenticated attacker to force a domain controller to authenticate against another server using NTLM. The threat actor would need to be in the logical network path between the target and the resource requested (e.g., Man-in-the-Middle), but since this is listed as under active attack, someone must have figured out how to make that happen. Microsoft notes this would be a CVSS 9.8 if combined with NTLM relay attacks, making this even more severe. In addition to this patch, sysadmins should review KB5005413 and Advisory ADV210003 to see what additional measures can be taken to prevent NTLM relay attacks. Also note this patch affects some backup functionality on Server 2008 SP2. If you’re running that OS, read this one carefully to ensure your backups can still be used to restore.

 -       CVE-2022-26923 – Active Directory Domain Services Elevation of Privilege Vulnerability
This bug was submitted through the ZDI program by Oliver Lyak (@ly4k_) of the Institut for Cyber Risk. The specific flaw exists within the issuance of certificates. By including crafted data in a certificate request, an attacker can obtain a certificate that allows the attacker to authenticate to a domain controller with a high level of privilege. In essence, any domain authenticated user can become a domain admin if Active Directory Certificate Services are running on the domain. This is a very common deployment. Considering the severity of this bug and the relative ease of exploit, it would not surprise me to see active attacks using this technique sooner rather than later.

 -       CVE-2022-26937 – Windows Network File System Remote Code Execution Vulnerability
This CVSS 9.8-rated bug could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems. NFS isn’t on by default, but it’s prevalent in environments where Windows systems are mixed with other OSes such as Linux or Unix. If this describes your environment, you should definitely test and deploy this patch quickly. Microsoft notes NFSv4.1 is not exploitable, so upgrade from NFSv2 or NFSv3 if possible.

 -       CVE-2022-29972 – Insight Software: Magnitude Simba Amazon Redshift ODBC Driver
This update was actually released yesterday and is complicated enough for Microsoft to blog about the bug and how it affects multiple Microsoft services. Microsoft also released its first advisory of the year, ADV220001, with additional information about the vulnerability. The flaw exists in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime (IR) in Azure Synapse Pipelines, and Azure Data Factory, and could allow an attacker to execute remote commands across Integration Runtimes. If you use these services, review the blog and advisory to ensure you understand the risks to your services.

Here’s the full list of CVEs released by Microsoft for May 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-26925 Windows LSA Spoofing Vulnerability Important 8.1 Yes Yes Spoofing
CVE-2022-29972 Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver Critical N/A Yes No RCE
CVE-2022-22713 Windows Hyper-V Denial of Service Vulnerability Important 5.6 Yes No DoS
CVE-2022-26923 Active Directory Domain Services Elevation of Privilege Vulnerability Critical 8.8 No No EoP
CVE-2022-21972 Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-23270 Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2022-22017 Remote Desktop Client Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-26931 Windows Kerberos Elevation of Privilege Vulnerability Critical 7.5 No No EoP
CVE-2022-26937 Windows Network File System Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-23267 .NET and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-29117 .NET and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-29145 .NET and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-29127 BitLocker Security Feature Bypass Vulnerability Important 4.2 No No SFB
CVE-2022-29109 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-29110 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21978 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8.2 No No EoP
CVE-2022-29107 Microsoft Office Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2022-29108 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-29105 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-26940 Remote Desktop Protocol Client Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-22019 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-26932 Storage Spaces Direct Elevation of Privilege Vulnerability Important 8.2 No No EoP
CVE-2022-26938 Storage Spaces Direct Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-26939 Storage Spaces Direct Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-29126 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-30129 Visual Studio Code Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-29148 Visual Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-26926 Windows Address Book Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23279 Windows ALPC Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-26913 Windows Authentication Security Feature Bypass Vulnerability Important 7.4 No No SFB
CVE-2022-29135 Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-29150 Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-29151 Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-29138 Windows Clustered Shared Volume Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-29120 Windows Clustered Shared Volume Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-29122 Windows Clustered Shared Volume Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-29123 Windows Clustered Shared Volume Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-29134 Windows Clustered Shared Volume Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-29113 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-29102 Windows Failover Cluster Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-29115 Windows Fax Service Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-22011 Windows Graphics Component Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-26934 Windows Graphics Component Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-29112 Windows Graphics Component Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-26927 Windows Graphics Component Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-24466 Windows Hyper-V Security Feature Bypass Vulnerability Important 4.1 No No SFB
CVE-2022-29106 Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-29133 Windows Kernel Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2022-29142 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-29116 Windows Kernel Information Disclosure Vulnerability Important 4.7 No No Info
CVE-2022-22012 Windows LDAP Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2022-22013 Windows LDAP Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-22014 Windows LDAP Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-29128 Windows LDAP Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-29129 Windows LDAP Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-29130 Windows LDAP Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2022-29131 Windows LDAP Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-29137 Windows LDAP Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-29139 Windows LDAP Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-29141 Windows LDAP Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-26933 Windows NTFS Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-22016 Windows PlayToManager Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-29104 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-29132 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-29114 Windows Print Spooler Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-29140 Windows Print Spooler Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-29125 Windows Push Notifications Apps Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-29103 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-26930 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-22015 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-26936 Windows Server Service Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-29121 Windows WLAN AutoConfig Service Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-26935 Windows WLAN AutoConfig Service Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-30130 .NET Framework Denial of Service Vulnerability Low 3.3 No No DoS

Looking at the remaining Critical-rated patches, there are two that affect the Windows implementation of Point-to-Point Tunneling Protocol (PPTP) that could allow an RCE. Microsoft notes an attacker would need to win a race condition to successfully exploit these bugs, but not every race condition is identical. In other words, an attacker may pull a Rich Strike and win that race. There’s a Critical-rated Elevation of Privilege (EoP) bug in Microsoft Kerberos, but no further information is provided. It’s unusual for an EoP to be rated Critical, so the privilege escalation must result in something beyond just a domain account. Finally, there’s another patch for the RDP Client, which seem to be coming at least once a month these days. An attacker would need to convince an affected system to connect to a specially crafted RDP server to gain code execution.

There are 20 other patches for RCE bugs in this month’s release, and half of those deal with LDAP vulnerabilities. The most severe of these clocks in with a CVSS of 9.8 but would require the MaxReceiveBuffer LDAP policy to be set to a value higher than the default value. It’s not clear if that is a common or rare configuration. The others would require some form of authentication. Three of the remaining RCEs came through the ZDI program. ZDI vulnerability researcher Hossein Lotfi discovered a bug in Windows Media Foundation that exists within the parsing of AVI files. The research known as ZhangYang found a heap overflow bug in Visual Studio, and Uncodable reported a use-after-free (UAF) bug in the Windows Graphic component. The remaining RCE bugs require some form of user interaction – mostly clicking on a link or opening a file. The only exception to this is the bugs in SharePoint, which requires an authenticated user with page creation permissions. By default, any authenticated user can create their own site where they have the necessary permissions.   

Moving on to EoP-related patches, there are 21 total privilege escalation bugs in the release, including the two previously mentioned. Most of these require an attacker to log on a run their specially crafted code or somehow convince (or trick) an authorized user to do so. However, there are a couple of patches that stand out. The most obvious is the patch for Exchange Server, which requires an admin to specifically prepare Active Directory before installing the patch. This entails running specific commands from the command prompt once the patch has been downloaded. Microsoft doesn’t indicate what could happen if these steps are not followed, but the bug allows an Exchange admin to become a Domain Admin, so ensure you take the appropriate steps to fully remediate this vulnerability. There’s a privilege escalation in the Remote Access Connection Manager, but without further details from Microsoft, it’s not clear how this vulnerability manifests. Finally, there are two EoP fixes for the Print Spooler, with one coming from Oliver Lyak through ZDI. The bug he reported could allow an attacker to create a symbolic link, which could then cause the service to load an arbitrary DLL.

Speaking of the Print Spooler, two of the 17 info disclosure bugs patched by this month’s release impact this component, and both were reported by Oliver through ZDI. These bugs result from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage these vulnerabilities to disclose information in the context of SYSTEM. Most of the other Info Disclosure bugs in this release only result in leaks consisting of unspecified memory contents. The other exception to this would be the bug in the Windows Server Service (aka LanManServer). Microsoft states that an attacker could confirm the presence of specific file names and users over an internal network, but they don’t state how this would occur.

There are four fixes for Security Feature Bypass (SFB) bugs in this release, and each one deserves a mention. The first relates to a Virtual Machine Switch with virtual networking in Hyper-V Network Virtualization (HNV). An attacker could bypass extended ACLs and other checks, which implies one guest OS could impact a different guest OS on the same server. Up next is a bug in Office that could allow an attacker to gain personally identifiable information (PII) by bypassing the “ThisDocument.RemovePersonalInformation” functionality. If you’re sharing files online but want your personal information removed, be sure to apply this update. The update for Windows Authentication addresses a vulnerability that could allow Man-in-the-Middle (MITM) attackers to decrypt and read or modify TLS traffic between the client and server. Finally, there is a bypass of BitLocker Device Encryption that requires physical access but could allow an attacker to gain access to encrypted data in certain scenarios. These final two bugs may be a bit unlikely to be seen in the wild, but if they are, the impact would be quite severe. Bugs like these are the ones sought by advanced threat actors for use on high-profile targets.

The May release is rounded out by six updates to address Denial-of-Service bugs in Hyper-V, the WLAN Autoconfig Service, and .NET and Visual Studio. The WLAN vulnerability is limited to a logically adjacent topology and can’t be reached from the internet. The bug in Hyper-V is listed as public, but Microsoft provides no information on where it was posted or how much detail was exposed. There are multiple DoS bugs listed for .NET and Visual Studio, but no further details are provided. One of these .NET bugs is the lone Low-severity bug in this release.

There is one new advisory for May covering improvements to Azure Data Factory and Azure Synapse Pipeline. This was previously mentioned (above) and is in response to CVE-2022-29972. While certainly not new, the latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on June 14, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean! (And hope to see you in Vancouver!)

The May 2022 Security Update Review

Pwn2Own Vancouver 2022 - The Schedule

17 May 2022 at 23:47

Welcome to Pwn2Own Vancouver 2022! This year marks the 15th anniversary of the contest, and we plan on celebrating by putting some amazing research on display. For this year’s event, we have 17 contestants attempting to exploit 21 targets across multiple categories. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here.

The complete schedule for the contest is below (all times Pacific [GMT -7:00]).

Note: All times subject to change - You can see the results and live updates here once they become available. Entries marked with a 📷 icon will be live-streamed on YouTube, Twitch, and Twitter.

Wednesday, May 18, 2022

0930: Hector “p3rr0” Peralta targeting Microsoft Teams in the Enterprise Communications category

📷  1030: Billy Jheng Bing-Jhong (@st424204), Muhammad Alifa Ramdhan (@n0psledbyte), and Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) of STAR Labs targeting Oracle VirtualBox with a guest-to-host escape in the Virtualization category

📷  1200: Masato Kinugawa targeting Microsoft Teams in the Enterprise Communications category

📷  1300: Manfred Paul (@_manfp) targeting Mozilla Firefox (including sandbox escape) in the Web Browser category

1330: Marcin Wiązowski targeting Microsoft Windows 11 in the Local Elevation of Privilege category

1400: Team Orca of Sea Security (security.sea.com) targeting Ubuntu Desktop in the Local Elevation of Privilege category

1450: Daniel Lim Wee Soong (@daniellimws), Poh Jia Hao (@Chocologicall), Li Jiantao (@CurseRed) & Ngo Wei Lin (@Creastery) of STAR Labs targeting Microsoft Teams in the Enterprise Communications category

📷  1550: Manfred Paul (@_manfp) targeting Apple Safari in the Web Browser category

📷  1650: Keith Yeo (@kyeojy) targeting Ubuntu Desktop in the Local Elevation of Privilege category

1720: Phan Thanh Duy (@PTDuy) and Lê Hữu Quang Linh (@linhlhq) of STAR Labs targeting Microsoft Windows 11 in the Local Elevation of Privilege category

Thursday, May 19, 2022

 📷  1000: David BERARD and Vincent DEHORS from @Synacktiv target the Tesla Model 3 Infotainment System (with Sandbox Escape) in the Automotive category

 1100: namnp targeting Microsoft Windows 11 in the Local Elevation of Privilege category

 📷  1130: Bien Pham (@bienpnn) targeting Ubuntu Desktop in the Local Elevation of Privilege category

 📷 1300: @Jedar_LZ targeting the Tesla Model 3 Diagnostic Ethernet (with Root Persistence) in the Automotive category

 1400: T0 targeting Microsoft Windows 11 in the Local Elevation of Privilege category

 📷  1430: TUTELARY from Northwestern University targeting Ubuntu Desktop in the Local Elevation of Privilege category

 Friday, May 20, 2022

 📷  1000: Team DoubleDragon: Yonghwi Jin (@jinmo123) of Theori, and Yongjin Kim (@adm1nkyj1) of Enki targeting Microsoft Teams in the Enterprise Communications category

 1030: nghiadt12 from Viettel Cyber Security targeting Microsoft Windows 11 in the Local Elevation of Privilege category

📷  1100: Billy Jheng Bing-Jhong (@st424204) of STAR Labs targeting Ubuntu Desktop in the Local Elevation of Privilege category

1300: vinhthp1712 targeting Microsoft Windows 11 in the Local Elevation of Privilege category

📷  1330: Bruno PUJOS (@brunopujos) from REverse Tactics targeting Microsoft Windows 11 in the Local Elevation of Privilege category

 📷  1520: Award Ceremony

Pwn2Own Vancouver 2022 - The Schedule

Pwn2Own Vancouver 2022 - The Results

18 May 2022 at 19:08

Pwn2Own Vancouver for 2022 is underway, and the 15th anniversary of the contest has already seen some amazing research demonstrated. Stay tuned to this blog for updated results, picture, and videos from the event. We’ll be posting it all here - including the most recent Master of Pwn leaderboard.

Jump to Day One results; Jump to Day Two results; Jump to Day Three results

Here are the current standings for the Master of Pwn:

Current as of May 20, 12:00 Pacific

Day One - May 18, 2022

SUCCESS - Hector “p3rr0” Peralta was able to demonstrate an improper configuration against Microsoft Teams. He earns $150,000 and 15 Master of Pwn points.

Hector “p3rr0” Peralta demonstrates a improper configuration bug on Microsoft Teams by launching calc.

SUCCESS - Billy Jheng Bing-Jhong (@st424204), Muhammad Alifa Ramdhan (@n0psledbyte), and Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) of STAR Labs successfully used an OOB Read and OOB Write to achieve escalation on Oracle Virtualbox. They earn $40,000 and 4 Master of Pwn points.

SUCCESS - Masato Kinugawa was able to execute a 3-bug chain of injection, misconfiguraton and sandbox escape against Microsoft Teams, earning $150,000 and 15 Master of Pwn points.

SUCCESS - Manfred Paul (@_manfp) successfully demonstrated 2 bugs - prototype pollution and improper input validation - on Mozilla Firefox, earning him $100,000 and 10 Master of Pwn points.

Manfred Paul (left) demonstrates his 2 bug vulnerability submission on Mozilla Firefox to ZDI Analysts Hossein Lotfi and Michael DePlante.

SUCCESS - Marcin Wiązowski was able to execute an out-of-bounds write escalation of privilege on Microsoft Windows 11, earning $40,000 and 4 Master of Pwn points, and high praise on the accompanying whitepaper from the Microsoft team.

SUCCESS - Team Orca of Sea Security (security.sea.com) was able to execute 2 bugs on Ubuntu Desktop - an Out-of-Bounds Write (OOBW) and Use-After-Free (UAF) - earning $40,000 and 4 Master of Pwn points.

Team Orca of Sea Security successfully demonstrates their OOBW and UAF on Ubuntu Desktop.

SUCCESS - Daniel Lim Wee Soong (@daniellimws), Poh Jia Hao (@Chocologicall), Li Jiantao (@CurseRed) & Ngo Wei Lin (@Creastery) of STAR Labs successfully demonstrated their zero-click exploit of 2 bugs (injection and arbitrary file write) on Microsoft Teams. They earn $150,000 and 15 Master of Pwn points.

SUCCESS - Manfred Paul (@_manfp) successfully scored his second win of the day with an out-of-band write on Apple Safari, earning him another $50,000 and 5 additional Master of Pwn points.

SUCCESS - Phan Thanh Duy (@PTDuy and Lê Hữu Quang Linh (@linhlhq of STAR Labs earned $40K and 4 Master of Pwn points for a Use-After-Free elevation of privilege on Microsoft Windows 11.

SUCCESS - Keith Yeo (@kyeojy) earned $40K and 4 Master of Pwn points for a Use-After-Free exploit on Ubuntu Desktop.

Day Two - May 19, 2022

SUCCESS and BUG COLLISION - On the first attempt of the day, David BERARD and Vincent DEHORS from @Synacktiv were able to demonstrate 2 unique bugs (Double-Free & OOBW) with collision on a known sandbox escape on a Tesla Model 3 Infotainment System. They earn $75,000 and 7.5 Master of Pwn points, and although they don't win the car outright, they have made enough to go pick one up themselves!

First attempt of the day at Tesla. From left to right: 2 representatives from Tesla (standing and seated), ZDI Analyst Michael DePlante, Sr. Director of Vulnerability Research (ZDI) Brian Gorenc, David BERARD and Vincent DEHORS of Synacktiv.

FAILURE - On the second attempt of day 2, namnp was unable to get their exploit of Microsoft Windows 11 working within the time allotted.

SUCCESS - Bien Pham (@bienpnn) was able to execute a Use After Free bug leading to elevation of privilege on Unbuntu Desktop, earning $40,000 and 4 Master of Pwn points.

Local elevation of privilege on Ubuntu Desktop courtesy of Bien Pham.

FAILURE - @Jedar_LZ was unable to get today's second Tesla attempt working within the time allotted. On a positive note, @thedzi decided to acquire the details of the exploit and disclose them to Tesla.

SUCCESS - T0 was able to successfully show an improper access control bug leading to elevation of privilege on Microsoft Windows 11 - earning $40,000 and 4 Master of Pwn points.

SUCCESS - On the final attempt of Day 2, Zhenpeng Lin (@Markak_), Yueqi Chen (@Lewis_Chen_), and Xinyu Xing (@xingxinyu) of Team TUTELARY from Northwestern University successfully demonstrated a Use After Free bug leading to elevation of privilege on Ubuntu Desktop. This earns him $40,000 and 4 Master of Pwn points.

From left: Yueqi Chen of Team TUTELARY of Northwestern University with ZDI Analysts Tony Fuller and Bobby Gould.

Day Three - May 20, 2022

FAILURE - On the first attempt of day 3, Team DoubleDragon: Yonghwi Jin (@jinmo123) of Theori, and Yongjin Kim (@adm1nkyj1) of Enki was unable to get their exploit of Microsoft Teams working within the time allotted. All is not lost though, in that Team Double Dragon was able to get their research into the regular ZDI process.

SUCCESS - nghiadt12 from Viettel Cyber Security was able to successfully show an escalation of privilege via Integer Overflow on Microsoft Windows 11 - earning $40,000 and 4 Master of Pwn points.

EOP via Integer Overflow on Windows 11 courtesy of nghiadt12 from Viettel Cyber Security

SUCCESS - Billy Jheng Bing-Jhong (@st424204) STAR Labs was able to successfully demonstrate a Use-After-Free exploit on Ubuntu Desktop - earning another $40,000 and 4 Master of Pwn points.

SUCCESS - vinhthp1712 successfully achieved Elevation of Privilege via Improper Access Control on Microsoft Windows 11. vinhthp1712 earns $40,000 and 4 Master of Pwn points.

SUCCESS - On the final attempt of the competition, Bruno PUJOS (@brunopujos) from REverse Tactics successfully achieved Elevation of Privilege via Use-After-Free on Microsoft Windows 11. Bruno earns $40,000 and 4 Master of Pwn points.

Bruno PUJOS from REverse Tactics drops an EOP via UAF on Microsoft Windows 11.

That concludes the regular scheduled programming for our event! This year, we had a total of 21 attempts from 17 contestants with Trend Micro and ZDI awarding $1,155,000! We can’t wait to share more details in the near future about our fall event, so stay tuned!

As always, follow us on Twitter for the latest results, update, and breaking news.

Thanks again to our partners Tesla, Zoom, and Microsoft as well as our sponsor VMware. Thanks also to the researchers who participate and to the vendors for providing fixes for what was discovered and reported during the contest. As a reminder, vendors have 90 days to produce a fix for all vulnerabilities disclosed.

Pwn2Own Vancouver 2022 - The Results

The June 2022 Security Update Review

14 June 2022 at 17:25

It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for June 2022

This month, Adobe released six patches addressing 46 CVEs in Adobe Illustrator, InDesign, InCopy, Bridge, Robohelp, and Animate. A total of 40 of these CVEs were reported by ZDI vulnerability researcher Mat Powell. The largest update belongs to Illustrator, which addresses 17 total CVEs. The most severe of these bugs could allow code execution if an affected system opens a specially crafted file. Many of these bugs fall into the Out-Of-Bounds (OOB) Write category. The update for Adobe Bridge fixes 12 bugs, 11 of which are rated Critical. The patch for InCopy fixes eight Critical-rated bugs, all of which could lead to arbitrary code execution. Similarly, the InDesign patch fixes seven Critical-rated arbitrary code execution bugs. For both InDesign and InCopy, the bugs are a mix of OOB Read, OOB Write, heap overflow, and Use-After-Free (UAF) vulnerabilities. The lone bug fixed by the Animate patch is also a Critical-rated OOB Write that could lead to arbitrary code execution. Finally, the Robohelp patch fixes a Moderate-rated privilege escalation bug caused by improper authorization.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as priority 3.

Microsoft Patches for June 2022

For June, Microsoft released 55 new patches addressing CVEs in Microsoft Windows and Windows Components; .NET and Visual Studio; Microsoft Office and Office Components; Microsoft Edge (Chromium-based); Windows Hyper-V Server; Windows App Store; Azure OMI, Real Time Operating System, and Service Fabric Container; SharePoint Server; Windows Defender; Windows Lightweight Directory Access Protocol (LDAP); and Windows Powershell. This is in addition to the 4 CVEs patched in Microsoft Edge (Chromium-based), and the new update for MSDT. That brings the total number of CVEs to 60.

Of the 55 new CVEs released today, three are rated Critical, 51 are rated Important, and one is rated Moderate in severity. None of the new bugs patched this month are listed as publicly known or under active attack at the time of release, however, we do have an update for MSDT, which is public and reported to be under active attack.

It's also interesting to note is what is not included in today’s release. This is the first month in recent memory without an update for the Print Spooler. We’ll see if that trend continues or if this reprieve is only temporary. Finally, there are no fixes listed for any of the bugs disclosed during Pwn2Own Vancouver.

Before we take a deeper dive into this month’s release, let’s take just a minute to remember Internet Explorer, which will go out of support tomorrow. The ubiquitous browser has served up websites to users since 1995, and while it’s doubtful anyone will miss it, it certainly had a good run. If you’re worried about your legacy apps still functioning, IE Mode in Microsoft Edge will be supported through at least 2029. With nostalgia out of the way, let’s take a closer look at some of the more interesting updates for this month, starting with the much anticipated fix for MSDT:

-       CVE-2022-30190 - Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
Although it’s difficult to see from the Security Update Guide, Microsoft did release an update to address the much discuss “Follina” vulnerability in MSDT. This bug has been reported to be under active attack, so priority should be given to the testing and deployment of this update.

-       CVE-2022-30136 - Windows Network File System Remote Code Execution Vulnerability
This CVSS 9.8 bug looks eerily similar to CVE-2022-26937 – an NFS bug patched last month and one we blogged about last week. This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0. It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix.

 -       CVE-2022-30163 - Windows Hyper-V Remote Code Execution Vulnerability
This bug could allow a user on a Hyper-V guest to run their code on the underlying Hyper-V host OS. The update doesn’t list the privileges the attacker’s code would run at, but any guest-to-host escape should be taken seriously. Microsoft notes that attack complexity is high since an attacker would need to win a race condition. However, we have seen many reliable exploits demonstrated that involve race conditions, so take the appropriate step to test and deploy this update.

-       CVE-2022-30148 - Windows Desired State Configuration (DSC) Information Disclosure Vulnerability
Most info disclosure bugs simply leak unspecified memory contents, but this bug is different. An attacker could use this to recover plaintext passwords and usernames from log files. Since DSC is often used by SysAdmins to maintain machine configurations in an enterprise, there are likely some sought-after username/password combos that could be recovered. This would also be a great bug for an attacker to move laterally within a network. If you’re using DSC, make sure you don’t miss this update.

Here’s the full list of CVEs released by Microsoft for June 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-30163 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.5 No No RCE
CVE-2022-30139 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2022-30136 Windows Network File System Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-30184 .NET and Visual Studio Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-30167 AV1 Video Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-30193 AV1 Video Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-29149 Azure Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30180 Azure RTOS GUIX Studio Information Disclosure Vulnerability Important 7.8 No No Info
CVE-2022-30177 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-30178 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-30179 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-30137 Azure Service Fabric Container Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2022-22018 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-29111 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-29119 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-30188 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21123 * Intel: CVE-2022-21123 Shared Buffer Data Read (SBDR) Important N/A No No Info
CVE-2022-21125 * Intel: CVE-2022-21125 Shared Buffers Data Sampling (SBDS) Important N/A No No Info
CVE-2022-21127 * Intel: CVE-2022-21127 Special Register Buffer Data Sampling Update (SRBDS Update) Important N/A No No Info
CVE-2022-21166 * Intel: CVE-2022-21166 Device Register Partial Write (DRPW) Important N/A No No Info
CVE-2022-30164 Kerberos AppContainer Security Feature Bypass Vulnerability Important 8.4 No No SFB
CVE-2022-30166 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30173 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-30154 Microsoft File Server Shadow Copy Agent Service (RVSS) Elevation of Privilege Vulnerability Important 5.3 No No EoP
CVE-2022-30159 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-30171 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-30172 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-30174 Microsoft Office Remote Code Execution Vulnerability Important 7.4 No No RCE
CVE-2022-30168 Microsoft Photos App Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-30157 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-30158 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-29143 Microsoft SQL Server Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-30160 Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30151 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-30189 Windows Autopilot Device Management and Enrollment Client Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2022-30131 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30132 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30150 Windows Defender Remote Credential Guard Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2022-30148 Windows Desired State Configuration (DSC) Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-30145 Windows Encrypting File System (EFS) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-30142 Windows File History Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2022-30147 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30140 Windows iSCSI Discovery Service Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2022-30165 Windows Kerberos Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2022-30155 Windows Kernel Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-30162 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-30141 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2022-30143 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-30146 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-30149 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2022-30153 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-30161 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-30135 Windows Media Center Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-30152 Windows Network Address Translation (NAT) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-32230 * Windows SMB Denial of Service Vulnerability Important N/A No No DoS
CVE-2022-22021 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 8.3 No No RCE
CVE-2022-2007 * Chromium: Use after free in WebGPU High N/A No No RCE
CVE-2022-2008 * Chromium: Out of bounds memory access in WebGL High N/A No No RCE
CVE-2022-2010 * Chromium: Out of bounds read in compositing High N/A No No RCE
CVE-2022-2011 * Chromium: Use after free in ANGLE High N/A No No RC

* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the rest of the release we that more than half of the patches this month deal with remote code execution. Seven of these deal with LDAP vulnerabilities, which is at least a decrease from the 10 LDAP patches last month. The most severe of these clocks in with a CVSS of 9.8 but would require the MaxReceiveBuffer LDAP policy to be set to a value higher than the default value. This doesn’t seem to be a common scenario. Still, the volume of bugs in LDAP over the last couple of months could indicate a broad attack surface in the component. Speaking of fertile attack surfaces, there are another six fixes for code execution bugs in the AV1 and HEVC media codecs. If you are connected to the Internet, you should automatically get updates from the Windows Store. However, if you are using these optional components in a disconnected environment, you’ll need to get these through either the Microsoft Store for Business or the Microsoft Store for Education. The same holds true for the patch addressing the RCE in the Photos App.

There are three RCE bugs receiving fixes in the Azure RTOS GUIX Studio, which provides developers a design for developing GUIs for IoT applications. What’s not clear is whether these apps will also need updates after installing these patches. There are a few RCE bugs in Office components, including a couple of interesting SharePoint bugs. Most of these require a user to open a specially crafted file. The SQL Server bug sounds pretty nasty but requires authentication. That should lessen the impact. Still, admins will need to carefully review the listed chart to determine which GDR and CU updates they require. This release includes patches impacting the iSCSI Discovery Service, Encrypting File System (EFS), and the File History component. All require some form of authentication, and the iSCSI and File History bugs require user interaction.

Moving on, there are 12 patches to address elevation of privilege (EoP) vulnerabilities. Most of these require an attacker to log on to a system and run specially crated code. There are, however, a couple of patches that stand out. The update for Azure Open Management Infrastructure (OMI) impacts multiple different Azure and SCOM components. Admins will need to touch most of these to ensure the bug is fully addressed, which will add to their workload. The patch for Azure Service Fabric doesn’t fix any bugs. Instead, it enforces the path to least privilege on Linux clusters. The bug in Kerberos affects servers with both Credential Security Service Provider (CredSSP) and Remote Credential Guard (RCG) installed. An attacker could elevate privileges and then spoof the Kerberos logon process when an RCG connection is made via CredSSP. Finally, the patch for the File Server Shadow Copy Agent Service (RVSS) only affects systems where the File Server VSS Agent Service is installed. However, on those systems, the patch alone isn’t enough. Admins must install the updates on Application and File Servers. Failure to do so could negatively impact backups and cause them to fail. See this KB article for more details.

The June release contains fixes for three Denial-of-Service (DoS) bugs. The DoS in the kernel could crash the OS, but it’s not clear how severe the bug in NAT could be. If it shut down NAT completely, it could devastate impacted enterprises. If you use NAT, treat this as a Critical update. Rapid7 also contributed a CVE in a Windows SMB that Microsoft had initially classified as a stability bug. This was silently fixed in the May 2022 updates and is being documented publicly here.

There’s a single security feature bypass being fixed this month in Kerberos AppContainer. If exploited, an attacker could bypass the Kerberos service ticketing feature that performs user access control checks. There’s also a single spoofing bug in this release for the Windows Autopilot Device Management component. There are a mountain of caveats to this bug, so if you’re using this management tool, read the bulletin carefully to determine if your systems are affected.

The release is rounded out by 11 information disclosure bugs. As previously mentioned, most of these only result in leaks consisting of unspecified memory contents. There are a couple of exceptions. The Office bug could expose device information such as resource IDs, SAS tokens, and user properties. The bug in .NET and Visual Studio could be used to intercept the API key intended for NuGet.org.

Finally, there are four info disclosure bugs addressing Intel Processor MMIO stale data vulnerabilities. An attacker could use these bugs to read privileged data across trust boundaries. Microsoft has also released Advisory ADV220002 detailing these bugs, and Intel has also released further details about this class of vulnerabilities.

Looking Ahead

The next Patch Tuesday falls on July 12, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The June 2022 Security Update Review

  • There are no more articles
❌