UPDATE (8/10/2022): August’s Patch Tuesday release from Microsoft brings the highest overall vulnerability count from Microsoft since April and the most critical vulnerabilities in over a year.
Among the critical vulnerabilities is the zero-day being referred to as ‘DogWalk,’ which comes from a weakness in Microsoft’s Windows Support Diagnostic Tool and is actively being exploited in the wild.
Administrators can expect to be busy with additional high-severity vulnerabilities in historically popular targets like Active Directory and Microsoft Exchange – famously targeted by the HAFNIUM threat group with 0-day exploits in 2021, which are still being exploited today.
Administrators should prioritize patching critical vulnerabilities on affected systems within 72 hours, with a special focus on the Windows Point-to-Point Protocol (PPP) vulnerabilities that score 9.8/10 CVSSv3.1 and allow for remote code execution (RCE), as well as a critical elevation of privilege vulnerability in Microsoft Exchange Server that is likely to garner attention from attackers.
There are additional critical vulnerabilities in Active Directory Domain Services, Windows Secure Socket Tunneling Protocol (SSTP), and Server Message Block (SMBv3) that administrators should focus on fixing within 72 hours due to their severity and impact if exploited successfully by an attacker.
CVE-2022-34713 – ‘DogWalk’ Windows Support Diagnostic Tool Remote Code Execution Vulnerability – CRITICAL ZERO-DAY
The star of the show this month is DogWalk, a flaw in Microsoft’s Windows Support Diagnostic Tool (MSDT) that was first reported (and then glossed over) two years ago. Now DogWalk is back and getting serious attention since attackers can exploit the flaw using remote code execution in all Windows versions. DogWalk comes on the heels of another MSDT zero-day, the Follina zero-day vulnerability, that was discovered in May of this year.
While DogWalk does require some degree of user interaction for an attacker to exploit, it can cause plenty of damage with an email or browser click, so it’s one we recommend you jump on patching ASAP. – Jay Goodman
CVE-2022-30133 and CVE-2022-35744 – Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability – CRITICAL
Microsoft disclosed a pair of remote code execution vulnerabilities in the Windows Point-to-Point Protocol (or PPP). CVE-2022-30133 and CVE-2022-35744 both score a CVSSS v3.1 9.8 making them extremely critical vulnerabilities to remediate as soon as possible. Point-to-Point Protocol is a data link layer communication protocol between two devices without a host or any other networking in between. This critical layer 2 connection is fundamental to establishing internet links over dial-up, DSL connections, and VPNs. Because of this, this vulnerability is present in nearly every version of Windows and will require special attention to remediate quickly before attackers create the first proof of concept attacks. The vulnerabilities can be exploited via port 1723.
As a temporary workaround, admins can block the traffic through that port to stop any exploit. Although disabling this port will likely impact network communication in your Windows infrastructure. Due to the prevalence of PPP in Windows, Automox recommends prioritizing patching within 72 hours.
It should also be noted that there are additional critical vulnerabilities disclosed in the Point-to-Point Tunneling Protocol as well that score 8.1 (CVE-2022-35752 and CVE-2022-35753). – Jay Goodman
CVE-2022-34691 – Active Directory Domain Services Elevation of Privilege Vulnerability – CRITICAL
CVE-2022-34691 is a critical CVSSv3.1 8.8/10 privilege escalation vulnerability in Active Directory Domain Services (AD DS). AD DS is a widely-used server role in Active Directory that helps administrators manage devices and end users. It also helps authenticate user logins and control access to other resources.
Organizations running on-premise Active Directory services may be vulnerable on most versions of Windows 7 upwards and Server 2008 and up if they run Active Directory Certificate Services on the domain. An attacker who obtains credentials to user accounts in your domain through phishing, credential stuffing, or other means could execute a low complexity attack to acquire a certificate from AD Certificate Services that elevates their privileges to System.
With System-level privileges, an attacker could move laterally, exfiltrate data, or create other accounts to establish a persistent foothold in the domain. We recommend patching affected systems within 72 hours. – Peter Pflaster
CVE-2022-35804 – SMB Client and Server Remote Code Execution Vulnerability – CRITICAL
CVE-2022-35804 gives us a critical remote code execution (RCE) vulnerability impacting the Microsoft Server Message Block 3.1.1 (SMBv3) protocol, specifically in how it handles certain requests. Successful exploitation can lead to an attacker gaining the ability to execute code on the target system, which can be achieved through two different vectors.
Exploiting the vulnerability on the Client requires an attacker to configure a malicious SMBv3 server and convince a user to connect to it by baiting them into clicking a specially crafted link. For the vulnerability to be exploited on the Server, an unauthenticated attacker could send specially crafted packets from an SMB Client to a targeted SMBv3 Server. Given the low attack complexity and the higher likelihood of exploitation, this deserves immediate attention and a remediation window of no more than 72 hours.
If for some reason the security update cannot be immediately deployed, blocking TCP port 445 on the perimeter firewall can help reduce the risk of exploitation. However, this is not viable for remote systems and organizations will still be vulnerable to attacks from within the perimeter. – Justin Knapp
CVE-2022-21980 – Microsoft Exchange Server Elevation of Privilege Vulnerability – CRITICAL
CVE-2022-21980 is a critical elevation of privileges in Microsoft Exchange wherein a remote code execution vulnerability in the software fails to handle objects in memory properly. A successful attacker can exploit this by running arbitrary code in the context of the system user in which they could then install programs; view, change, delete data, or create new accounts.
With low complexity, this attack requires users with an affected version of Windows to access a malicious server to be successful. With no way to force users to their crafted server share or website, attackers would need to persuade users to visit the server share or website.
This vulnerability is also limited at the protocol level to a logically adjacent topology, meaning it cannot be done across the internet and instead needs something specifically tied to the target. This could include the same shared physical network (such as Bluetooth or IEEE 802.11), logical network (local IP subnet), or from within a secure or limited admin domain (MPLS, secure VPN to an admin network zone). This is common to many attacks that require man-in-the-middle type setups or rely on initially gaining a foothold in another environment.
Impacting Microsoft Exchange Server 2013 (Cum. Update 23), Microsoft Exchange Server 2016 (Cum. Updates 22 & 23), and Microsoft Exchange Server 2019 (Cum. Updates 11 & 12), Automox recommends that users vulnerable to this issue enable Extended Protection as soon as possible as proactive prev. – Gina Geisel
CVE-2022-34714, CVE-2022-35794, CVE-2022-35745, CVE-2022-35767, CVE-2022-35766, CVE-2022-34702 – Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerabilities – CRITICAL
This patch Tuesday brings a slew of critical remote code execution vulnerabilities recently discovered in Windows Secure Socket Tunneling Protocol or SSTP. SSTP is a mechanism to encapsulate Point-to-Point Protocol (PPP) traffic over an HTTPS protocol. This protocol enables users to access a private network by using HTTPS. The use of HTTPS enables the traversal of most firewalls and web proxies.
CVE-2022-34714, CVE-2022-35794, CVE-2022-35745, CVE-2022-35767, CVE-2022-35766, and CVE-2022-34702 are all critical vulnerabilities due to a race condition flaw. An unauthenticated attacker could send a specially crafted connection request to a Remote Access Service (RAS) server, which could lead to remote code execution (RCE) on the RAS server machine. Credit to Yuki Chen at Cyber Kunlun for the find. – Chris Hass
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.