Patch Tuesday: Two zero-days and 17 critical flaws fixed in Microsoft's August update

Patch Tuesday: Two zero-days and 17 critical flaws fixed in Microsoft's August update

Image:
Patch Tuesday: Two zero-days and 17 critical flaws fixed in Microsoft's August update

A hefty 121 vulnerabilities have been patched this month

Microsoft has fixed a total of 121 flaws in its August Patch Tuesday update.

Seventeen of the flaws are classified as 'critical' since they allow remote code execution (RCE) and privilege escalation; two are classed as zero-days since they are in the public domain with no fix up to now.

The latter category includes 'DogWalk' (CVE-2022-34713), a Microsoft Windows Support Diagnostic Tool (MSDT) RCE flaw, so called because an attacker can 'walk' across directories to place a malicious executable in the victim's Startup folder.

DogWalk was a known flaw, but not thought by Microsoft to present a serious risk until this May, when it was spotted being exploited in the wild.

"It was initially reported back in 2019, but not deemed a vulnerability as it was believed to require significant user interaction to exploit, and there were various other mitigations in place," noted Bharat Jogi, director, vulnerability and threat research at Qualys. "However, as we see today's bad actors growing more sophisticated and creative in their exploits."

Satnam Narang, senior staff research engineer at Tenable, added: "MSDT has received renewed focus since May, when it was discovered that attackers used a zero-day in MSDT as part of malicious Word document files. The flaw, which was dubbed Follina by security researchers, was patched in June. With reports that CVE-2022-34713 has been exploited in the wild, it would appear that attackers are looking to take advantage of flaws within MSDT as these types of flaws are extremely valuable to launch spearphishing attacks".

DogWalk has a CVSS severity score of 7.8 with a low attack complexity and no need for elevated privileges, according to Microsoft, although it does require that the victim is tricked into opening a specially crafted file.

The other zero-day is a Microsoft Exchange information disclosure vulnerability (CVE-2022-30134, CVSS score 7.6) that could enable an attacker to read targeted email messages if the victim can be persuaded to connect to a malicious server. This vulnerability, which affects some builds of Exchange versions 2013, 2016 and 2019 also has a low attack complexity, and Microsoft has provided more details about its mitigation in a blog post.

Among the 17 critical vulnerabilities, two (CVE-2022-30133 and CVE-2022-35744) are accorded a CVSS score of 9.8 out of 10. Both are RCE flaws in Windows Point-to-Point Protocol, allowing an unauthenticated attacker to send a specially crafted connection request to a remote access server (RAS), which could lead to remote code execution (RCE) on that machine.

Other critical bugs patched in this month's update include six flaws in Windows Secure Socket Tunnelling Protocol (SSTP) that also affect RAS.

"Seven CVEs affecting the Windows Secure Socket Tunnelling Protocol (SSTP) on RAS were fixed this month: six RCEs and one denial of service. If you have RAS in your environment but are unable to patch immediately, consider blocking traffic on port 1723 from your network," said Greg Wiseman, lead product manager at Rapid7.

Microsoft provides more information about mitigating these RAS flaws on its update guide pages, noting that disabling that port could cause connectivity issues.

Three critical vulnerabilities have been patched in Exchange Server, and one each in Active Directory, Azure Batch Node Agent, Hyper-V, the Windows Kernel (SMB client and server).

Microsoft also patched 20 flaws in the Edge browser earlier this month.