Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs


In Microsofts lightest Patch Tuesday update of the year so far, several security vulnerabilities stand out as must-patch, researchers warn.



Microsoft addressed a pair of important-rated zero-day bugs in its September Patch Tuesday update, including a local privilege-escalation (LPE) thats being actively exploited in the wild. To boot, it disclosed three separate critical vulnerabilities that could be used for worming attacks.
The patches are part of a cache of just 64 fixed vulnerabilities from Microsoft this week, the fewest for any month this year (and almost a 50% decrease from August). The disclosed bugs affect Microsoft Windows and Windows Components; Azure and Azure Arc; .NET, Visual Studio, .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux Kernel.
The actively exploited vulnerability (
CVE-2022-37969
, with a CVSS score of 7.8) exists in the Windows Common Log File System Driver, which is a general-purpose logging subsystem first introduced in Windows 2003 R2 OS and which has shipped with all later versions. An exploit for the bug allows an attacker with initial system access to elevate their privilege to SYSTEM privileges on a zero-click basis.
No other technical details are available, but since the vulnerability has low complexity and requires no user interaction, an exploit will likely soon be in the arsenal of both white hats and black hats, Mike Walters, cybersecurity executive and co-founder of Action1, wrote in an analysis provided to Dark Reading. It’s recommended that you deploy the patch as soon as possible.
Dustin Childs of Trend Micros Zero Day Initiative (ZDI) noted that its likely being deployed in a tidy exploit chain package.
Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link, he wrote in his
Patch Tuesday blog post
. Once they do, additional code executes with elevated privileges to take over a system.
This is one for everyone to patch quickly, he stressed: Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks.
The other zero-day bug (
CVE-2022-23960
) exists in Windows 11 for ARM64-based Systems. Microsoft didnt provide any further details, and it was not assigned a CVSS score, but Bharat Jogi, director of vulnerability and threat research at Qualys, offered context in an emailed comment, noting that its a processor-based speculative execution issue of the sort made infamous with the
Spectre and Meltdown attacks
. A successful exploit would give attackers access to sensitive information.
This [is] a fix for a vulnerability known as Spectre-BHB that affects ARM64-based systems, he noted. This vulnerability is a variant of Spectre v2 which has
reinvented itself
on numerous occasions and has affected various processor architectures since its discovery in 2017.
He added, This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware, and in some cases, a recompilation of applications and hardening.
As mentioned, three of the critical-rated bugs are wormable — i.e., could be used to spread infections from machine to machine with no user interaction.
The most concerning of these is likely
CVE-2022-34718
, researchers said, which can be found in Windows TCP/IP. It allows a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction; and it can be exploited by sending a specially crafted IPv6 packet to a Windows node where IPsec is enabled.
That officially puts it into the wormable category and earns it a CVSS rating of 9.8, Childs said. Definitely test and deploy this update quickly.
It should be noted that it only affects systems with IPv6 enabled and IPsec configured, but this is a common setup.
If a system doesn’t need the IPsec service, disable it as soon as possible, said Action1s Walters. This vulnerability can be exploited in supply chain attacks where contractor and customer networks are connected by an IPsec tunnel. If you have IPsec tunnels in your Windows infrastructure, this update is a must-have.
The other two wormable bugs,
CVE-2022-34722
and
CVE-2022-34721
, are both found in Windows Internet Key Exchange (IKE) Protocol Extensions. They both allow RCE by sending a specially crafted IP packet to a target machine that is running Windows and has IPsec enabled, and both carry a CVSS score of 9.8.
Walters noted that the vulnerability impacts only IKEv1 and not IKEv2. However, all Windows Servers are affected because they accept both V1 and V2 packets, he wrote. There is no exploit or PoC detected in the wild yet; however, installing the fix is highly advisable.
The final two critical bugs (
CVE-2022-34700
and
CVE-2022-35805
) both exist in Dynamics 365 (On-Premises), and could allow an authenticated user to perform SQL injection attacks and execute commands as db_owner within their Dynamics 356 database, Childs explained. They have a CVSS score of 8.8.
As for noncritical flaws to pay attention to first this month, Childs also flagged a denial-of-service bug in Windows DNS server (
CVE-2022-34724
, CVSS score of 7.5), which can be exploited by remote, unauthenticated attacker to knock out DNS service used to connect to cloud resources and websites.
While theres no chance of code execution, the bug should be treated as critical, he added. With so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises, Childs said.
Rapid7s Patch Tuesday analysis this month, sent via email, also noted that SharePoint administrators should also be aware of four separate RCE bugs, all rated important (
CVE-2022-35823
,
CVE-2022-37961
,
CVE-2022-38008
, and
CVE-2022-38009
).
And theres a large swath of RCE bugs affecting OLE DB Provider for SQL Server and the Microsoft ODBC Driver (
CVE-2022-34731
;
CVE-2022-34733
,
CVE-2022-35834
,
CVE-2022-35835
,
CVE-2022-35836
, and
CVE-2022-35840
).
These require some social engineering to exploit, by convincing a user to either connect to a malicious SQL Server or open a maliciously crafted .mdb (Access) file, Greg Wiseman, product manager at Rapid7, explained in the analysis.
Overall, administrators should have an easier time parsing the lighter patch load this month, but ZDIs Childs noted that the smaller collection is in line with the volume of patches from previous September releases. Qualys Jogi also pointed out that while Septembers Patch Tuesday clocks in on the lighter side, Microsoft hit a milestone of fixing the 1,000th CVE of the year, meaning the software giant is likely on track to surpass 2021, which patched 1,200 CVEs in total.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs