Low Numbers, High Severity: September’s Patch Tuesday Shouldn't Be Ignored

Automox Experts Weigh in on September 2022 Patch Tuesday Release

September’s Patch Tuesday release from Microsoft sees a nearly 50% drop in vulnerabilities from last month to just 64 vulnerabilities from Microsoft – only five of which are critical. However, those five critical vulnerabilities pack a punch as they impact most versions of Windows 7-11 and Server 2008-2022.

Administrators with the IPSec protocols active in their environments, a suite commonly used in VPN products, should prioritize patching critical remote code execution vulnerabilities in Windows TCP/IP and Internet Key Exchange Protocol (IKE) within 72 hours, as they can be exploited over the network with simple packages.

Threat actors are also leveraging existing system access to actively exploit a vulnerability in the Windows Common Log File System Driver that allows an elevation of privilege to SYSTEM on most builds of Windows 7-11 and Server 2008-2022.

There’s also an important privilege elevation vulnerability in the Windows Kernel that threat actors are likely to target on Windows 10 and 11 machines as well as Server 2016-2022.

CVE-2022-37969 – Windows Common Log File System Driver Elevation of Privilege Vulnerability – IMPORTANT

Threat actors are actively exploiting CVE-2022-37969 to elevate to SYSTEM privileges on most builds of Windows 7-11 and Server 2008-2022 machines. To exploit, the attacker must already have access to your system and the ability to run code on it. Although this vulnerability scores a CVSSv3.1 7.8/10, lower compared to other vulnerabilities patched today, we recommend patching as soon as possible since the vulnerability is being actively exploited. – Peter Pflaster

CVE-2022-34718 – Windows TCP/IP Remote Code Execution Vulnerability – CRITICAL

CVE-2022-34718 is a critical CVSSv3.1 9.8/10 vulnerability in Windows TCP/IP affecting most versions of Windows operating systems where IPSec is enabled. Attackers can craft and send a simple IPv6 packet to a vulnerable system with IPSec enabled to execute code remotely on that machine.

Transmission Control Protocol/Internet Protocol (TCP/IP) is the core protocol used on the internet today for communication and is present on Windows OSes from 7 through 11 and Server operating systems from 2008 through 2022.

However, only unpatched systems that also have IPSec enabled are vulnerable. IPSec is a group of protocols used for encrypted communication between devices – most commonly used to set up VPNs. If you’re using a VPN, verify what protocols that VPN leverages, as IPSec could be enabled as a result.

We recommend patching all vulnerable devices within 72 hours, as attackers can exploit the vulnerability relatively easily over just a network connection with no other required privileges. We expect attackers to begin scanning for and exploiting this vulnerability. – Peter Pflaster

CVE-2022-34722 and CVE-2022-34721 – Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerabilities – CRITICAL

Microsoft disclosed a pair of remote code execution vulnerabilities in Windows Internet Key Exchange, or IKE. CVE-2022-34722 and CVE-2022-34721 both score a CVSS v3.1 9.8 making them extremely critical vulnerabilities to remediate as soon as possible.

Both vulnerabilities are found in every major build of Windows from Windows 7 forward. IKE is a standard protocol used to set up secure and authenticated communications channels between two parties via a VPN. An attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation.

Automox recommends patching these critical vulnerabilities within 72 hours to minimize your exposure. Sysadmins will have a busy few days covering the vast number of Microsoft OS versions impacted by this vulnerability. – Jay Goodman

CVE-2022-37957 – Windows Kernel Elevation of Privilege Vulnerability – IMPORTANT

The Windows Kernel Elevation of Privilege Vulnerability has made a presence again for the third time this year. As a local attack vector with low attack complexity, CVE-2022-37957 is an elevation of privilege vulnerability that exists when the Windows kernel fails to properly handle objects in memory. This could potentially enable an attacker to gain system privileges. To exploit this vulnerability, an attacker would first have to log on to the system and then run a specially crafted application to take control of the system.

This vulnerability impacts Windows 10 Version 1607 (for 32-bit, 64-bit systems), Version 1809 for 32-bit, Version 1809 (for ARM64-based, 64-bit), Version 20H2 for (for ARM64-based, 32-bit, 64-bit), Version 21H1 (for ARM64-based, 32-bit, 64-bit), Version 21H2 (for ARM64-based, 32-bit, 64-bit), Windows 11 (for ARM64-based, 64-bit), and Windows Server 2016, 2019, 2022 (including Server Core Installation).

Given the higher likelihood of exploitation and the fact that elevation of privilege vulnerabilities are often an important step in the cyber kill chain, we recommend prioritizing and patching immediately. – Gina Geisel

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic