A fairly quiet Patch Tuesday this month but still some work for security admins to do. Perhaps most importantly, it includes a crucial fix for Follina which is already being used by cybercriminals.
Microsoft didn’t report any new active threats being exploited in the wild but there are, of course, some patches to apply.
Key problems for security teams to tackle include a remote code execution vulnerability for SharePoint and a remote code execution vulnerability in Hyper V that could let an attacker move from a guest virtual machine to the host, accessing all running virtual machines.
CVE-2022-30136 – 9.8 – Windows Network File System Remote Code Execution Vulnerability
An attacker would typically already need to have access to your network to exploit this vulnerability, and the NFS service on windows is not enabled by default, but that’s no reason to be complacent. With a score of 9.8, if you’re sharing files and file systems over a network with NFS, this should be high on the list to patch.
If patching quickly isn’t an option, the official mitigation is to disable the NFSv4. This could impact any services that are interacting with the NFS, requiring them to be downgraded, as it will require stopping and restarting the system.
CVE-2022-30157 and CVE-2022-30158 Microsoft SharePoint Server Remote Code Execution Vulnerability
This pair of vulnerabilities is listed as remote code execution. The attacker would, however, need authenticated access with the ability to create new pages. This kind of vulnerability would likely be abused by an attacker who already has the initial foothold to move laterally across the network.
This could affect organizations that use SharePoint for internal wikis or document stores. Attackers might exploit this vulnerability to steal confidential information, replace documents with new versions that contain malicious code, or to create macros to infect other systems.
CVE-2022-30147 – 7.8 – Windows Installer Elevation of Privilege Vulnerability
Marked as more likely to be exploited, CVE-2022-30147 is a local privileged escalation vulnerability in both desktop and server environments. Whilst the CVSS score is only a 7.8, this kind of vulnerability is almost always seen during a cyber attack. Once an attacker has gained initial access, they can elevate that initial level of access up to that of an administrator, where they can disable security tools. In the case of ransomware attack, this leverages access to more sensitive data before encrypting the files.
CVE-2022-30147 – 7.8 – Windows Installer Elevation of Privilege Vulnerability
There is very little information disclosed by Microsoft on CVE-2022-30147 other than that it is a local privilege escalation vulnerability, and that exploitation is more likely. Once an attacker has gained initial access, they will often deploy tools like mimikatz pivot to gain domain levels of access. To use these tools an attacker first needs local administrator level privileges, which is why we often see this kind of vulnerability leveraged so quickly after the initial compromise.
CVE-2022-30163 – 8.5 – Windows Hyper-V Remote Code Execution Vulnerability
A remote code execution vulnerability in Hyper V sounds scary when you consider that, if exploited, an attacker could move from a guest virtual machine to the host, accessing all running virtual machines. However, Microsoft has marked this vulnerability as less likely to be exploited. This is probably because the complexity is high and requires an attacker to win a race condition. What that condition is, is not disclosed. This one will be of high value to attackers if a method of easily exploiting it is discovered.
Patching at pace with Microsoft’s Autopatch
The speed of patching has become more important in the last few years. We often see attackers rapidly exploiting zero day and recently patched vulnerabilities within days, or even hours, of release. But relying on speed alone could cause more harm with the risk of deploying updates without fully testing them.
This makes it more important than ever to understand your networks and your risks when it comes to applying patches or mitigations. Microsoft is responding to this catch-22 by rolling out AutoPatch to supported organisations from July.
Autopatch is designed around deployment rings, releasing security updates more quickly than feature updates. These deployment rings also mean that any issues with patching can be identified quickly, before the patches are fully propagated across devices.
