Microsoft addresses 55 CVEs in its June 2022 Patch Tuesday release, including three critical flaws.
3Critical
52Important
0Moderate
0Low
Microsoft patched 55 CVEs in its June 2022 Patch Tuesday release, with three rated as critical, 52 rated as important.
This month’s update includes patches for:
.NET and Visual Studio
Azure OMI
Azure Real Time Operating System
Azure Service Fabric Container
Intel
Microsoft Edge (Chromium-based)
Microsoft Office
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Windows ALPC
Microsoft Windows Codecs Library
Remote Volume Shadow Copy Service (RVSS)
Role: Windows Hyper-V
SQL Server
Windows Ancillary Function Driver for WinSock
Windows App Store
Windows Autopilot
Windows Container Isolation FS Filter Driver
Windows Container Manager Service
Windows Defender
Windows Encrypting File System (EFS)
Windows File History Service
Windows Installer
Windows iSCSI
Windows Kerberos
Windows Kernel
Windows LDAP – Lightweight Directory Access Protocol
Windows Local Security Authority Subsystem Service
Windows Media
Windows Network Address Translation (NAT)
Windows Network File System
Windows PowerShell
Windows SMB
Remote code execution (RCE) vulnerabilities accounted for 49.1% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 21.8%.
CVE-2022-30136 | Windows Network File System Remote Code Execution Vulnerability
CVE-2022-30136 is a RCE vulnerability in the network file system (NFS) that can be exploited by an unauthenticated attacker using a specially crafted call to a NFS service. The vulnerability received a 9.8 CVSSv3 score and Microsoft rated this as “Exploitation More Likely” according to its Exploitability Index. The advisory notes that NFS versions 2.0 and 3.0 are not affected and administrators can disable NFS version 4.1 to mitigate this flaw. Disabling NFSv4.1 could have adverse impacts, so organizations should carefully consider this step before adopting it. Microsoft does note that this is only a temporary mitigation option, organizations should apply the patch as soon as possible. The advisory also provides a warning that you should not disable NFSv4.1 unless you have installed the May 2022 Windows security updates, specifically the updates addressing CVE-2022-26937.
Both CVE-2022-30136 and CVE-2022-26937 are credited to Yuki Chen, a prolific researcher with Cyber KunLun who has been credited with discovering nine vulnerabilities in Microsoft products in June 2022.
CVE-2022-30160 | Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability
CVE-2022-30160 is an EoP vulnerability affecting the advanced local procedure call (ALPC), a message-passing mechanism for internal operating system communications. With a CVSSv3 score of 7.8, this vulnerability can be exploited by a local, authenticated attacker. Researcher Jarvis_1oop is credited with discovering this flaw, which was rated as“Exploitation More Likely.” patches are available for all supported Windows variants including Windows Server Core installations.
CVE-2022-30147 | Windows Installer Elevation of Privilege Vulnerability
CVE-2022-30147 is an EoP vulnerability affecting the Windows Installer. The flaw received a 7.8 CVSSv3 score and can be exploited by a local, authenticated attacker. Microsoft’s exploitability assessment rates this vulnerability as “Exploitation More Likely” and patches are available for all supported Windows variants including Windows Server Core Installations. This vulnerability was an internal discovery at Microsoft credited to Levi Broderick with Microsoft and Andrew Ruddick.
Seven Remote Code Execution Vulnerabilities in Windows Lightweight Directory Access Protocol
This month Microsoft patched seven vulnerabilities in the Lightweight Directory Access Protocol (LDAP).
CVE-2022-30139
CVE-2022-30141
CVE-2022-30143
CVE-2022-30146
CVE-2022-30149
CVE-2022-30153
CVE-2022-30161
Two of the CVEs, CVE-2022-30153 and CVE-2022-30161 received CVSSv3 scores of 8.8, CVE-2022-30141 was scored at 8.1, and the remainder of the flaws each were scored at 7.5. Microsoft has rated all of these vulnerabilities as “Exploitation Less Likely.” The vulnerability descriptions for CVE-2022-30139, CVE-2022-30141 and CVE-2022-30143 provide the same caveat that the vulnerability only exists if the “MaxReceiveBuffer” LDAP policy is configured to a higher value than the default value (i.e. a higher maximum number of threads LDAP requests can contain per processor). A system with the default value for the policy would not be affected. In the case of both CVE-2022-30139 and CVE-2022-30141, no user interaction is required, however an attacker must “prepare the target environment to improve exploit reliability.” The remainder of the CVEs all require some form of user interaction in order to exploit the vulnerability.
Vulnerabilities not present in release notes
While no release notes or official documentation from Microsoft have been released, Tenable Research has responsibly disclosed two vulnerabilities to Microsoft. The vulnerabilities found in Microsoft’s Azure Synapse Analytics were found by Tenable Researcher Jimi Sebree. These flaws allow a user to escalate privileges to that of the root user within the underlying Apache Spark virtual machines, or to poison the hosts file of all nodes in an Apache Spark pool. The keys, secrets and services accessible via these vulnerabilities have traditionally allowed further lateral movement and compromise of Microsoft-owned infrastructure, which could potentially lead to a compromise of other customers’ data as we’ve seen in other research reports. The privilege escalation vulnerability has been patched and no action is required for Azure Synapse Analytics users. You can read more about these vulnerabilities in the Tenable Blog and a detailed write up can be found on our technical blog.
CVE-2022-30190 | Microsoft Windows Support Diagnostic Tool Remote Code Execution Vulnerability
CVE-2022-30190, also known as “Follina” — the RCE vulnerability in the Microsoft Windows Support Diagnostic Tool that was disclosed in late May and exploited in the wild — has now received patches for affected Windows systems. While Microsoft had provided mitigation guidance in an advisory on May 30, patches were not released until June 14.
Internet Explorer 11 End Of Support
On Wednesday June 15, support for Internet Explorer (IE) 11 will end for certain versions of WIndows 10. Microsoft recommends switching to Microsoft Edge and notes that IE 11 is the last major version for Internet Explorer. Tenable customers can utilize Plugin ID 22024 – Microsoft Internet Explorer Unsupported Version Detection to identify systems that have an unsupported version of IE. An update to the plugin will be released on June 15 to account for these updates from Microsoft.
Tenable Solutions
Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains June 2022.
With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:
A list of all the plugins released for Tenable’s June 2022 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.
Get more information
Microsoft’s June 2022 Security Updates
Tenable plugins for Microsoft June 2022 Patch Tuesday Security Updates
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
More Stories
The AI Fix #30: ChatGPT reveals the devastating truth about Santa (Merry Christmas!)
In episode 30 of The AI Fix, AIs are caught lying to avoid being turned off, Apple’s AI flubs a...
US and Japan Blame North Korea for $308m Crypto Heist
A joint US-Japan alert attributed North Korean hackers with a May 2024 crypto heist worth $308m from Japan-based company DMM...
Spyware Maker NSO Group Found Liable for Hacking WhatsApp
A judge has found that NSO Group, maker of the Pegasus spyware, has violated the US Computer Fraud and Abuse...
Spyware Maker NSO Group Liable for WhatsApp User Hacks
A US judge has ruled in favor of WhatsApp in a long-running case against commercial spyware-maker NSO Group Read More
Major Biometric Data Farming Operation Uncovered
Researchers at iProov have discovered a dark web group compiling identity documents and biometric data to bypass KYC checks Read...
Ransomware Attack Exposes Data of 5.6 Million Ascension Patients
US healthcare giant Ascension revealed that 5.6 million individuals have had their personal, medical and financial information breached in a...