On 13 September 2022, Microsoft released updates to address 63 vulnerabilities; five were classified as ‘Critical’, two have been publicly disclosed, and one of which is being actively exploited. We recommend applying the latest updates as soon as possible.
Microsoft noted that threat actors are exploiting a publicly disclosed vulnerability tracked as CVE-2022-37969. This vulnerability affects Common Log File System (CLFS), a logging subsystem that is accessible to both kernel-mode as well as user-mode applications for transaction logging and/or recovery. Prior access is required, and a threat actor would have to engineer interaction with a victim. If the victim opens a file or a link, the threat actor would be able to execute code with elevated privileges. Microsoft rated this flaw as “important” and assigned a CVSS risk score of 7.8 out of 10. This flaw appears to be identical to CVE-2022-24521, another local privilege escalation (LPE) issue that Microsoft fixed and reported to be exploited in April 2022.
As part of the 13 September update, Microsoft included a fix for another LPE vulnerability in CLFS CVE-2022-35803, noting that “exploitation is more likely”. Threat actors often exploit flaws that are similar in nature and are likely to take note of the proof-of-concept (POC) details available for the CLFS flaws mentioned above.
Another publicly disclosed flaw fixed in the September update is tracked as CVE-2022-23960. It is a Cache Speculation Restriction vulnerability that was disclosed in March 2022 as Spectre-BHB or Branch History Injection (BHI). It is a variant of processor-based speculative execution issues known as Spectre-v2, affecting Windows 11 for ARM64-based Systems. Due to speculation issues in the victim’s hardware, a threat actor could perform cache allocation, which could lead to information disclosure.
Some notable vulnerabilities that were labelled as critical include:
CVE-2022-34718 – a Remote Code Execution (RCE) vulnerability in Windows TCP/IP. It could allow a remote unauthenticated threat actor to execute code with elevated privileges on affected systems without user interaction. The flaw, however, only affects systems that have enabled IPv6 and have Internet Protocol Security (IPsec) configured. CVSS: 9.8
CVE-2022-34721 and CVE-2022-34722 both affect Windows Internet Key Exchange (IKE) Protocol Extensions. Both flaws carry a CVSS score of 9.8. An unauthenticated threat actor could send a malicious IP packet to a target machine that is running Windows and has IPSec enabled, which could enable an RCE. These issues only impact IKEv1. All Windows Servers are affected because they accept both V1 and V2 packets.
We recommend timely patching of the Microsoft vulnerabilities noted as critical and publicly disclosed in order to decrease the likelihood of exploitation.
Microsoft has reported authentication failures after installing the updates on servers used as domain controllers; testing should be conducted prior to patching. We recommend consulting the Known Issues and Microsoft Support Document referenced below prior to applying the updates.
In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.