Microsoft's September Patch Tuesday fixes five critical bugs

In a relatively quiet month, there are nevertheless several fixes for sysadmins to be aware of

Microsoft's September 2022 Patch Tuesday includes fixes for 63 vulnerabilities, including for five 'Critical' remote code execution (RCE) flaws. Patches were released earlier for another 16 flaws affecting the Edge browser.

Two zero-day vulnerabilities have been patched, including one, CVE-2022-37969 (CVSS score 7.8, 'Important'), a Windows Common Log File System Driver Elevation of Privilege Vulnerability, that is being actively exploited. Microsoft credits researchers at four vendors DBAPPSecurity, Mandiant, CrowdStrike and Zscaler for its discovery.

The glitch allows system-level access, meaning it should be patched as a matter of urgency.

"This is the level of access required for tools like Mimikatz that can be used to gain access to domain level accounts," Kev Breen, Director of Cyber Threat Research at Immersive Labs, told Computing.

"Any vulnerability that is actively exploited by attackers in the wild must be put to the top of any patching list and this one is no different. Don't be fooled by its relatively low CVSS score of 7.8, privilege escalation vulnerabilities are often highly sought after by cyber attackers."

Bharat Jogi, Director of Vulnerability and Threat Research at Qualys, provided some more detail: "The CLFS Driver is a general-purpose logging subsystem first introduced in Windows 2003 R2 Operating system that has become highly important and has shipped with all later versions. Seeing as this vulnerability was reported to Microsoft by four different cybersecurity companies, it is highly likely that it is being leveraged extensively in the wild - specifically by APT groups and malware authors - to gain elevated privileges."

Microsoft also released a fix for a data-leaking bug that was reported as a zero-day in March by researchers at VU Amsterdam. Spectre-BHB (CVE-2022-23960) affects Windows 11 on ARM64.

The 'Critical' vulnerabilities fixed this month include RCE vulnerabilities in Windows Internet Key Exchange (IKE) CVE-2022-34722 (CVSS 9.8) and CVE-2022-34721 (CVSS 9.8); and CVE-2022-34718 (CVSS 9.8), a RCE flaw in any Windows system reachable via IPv6.

While these bugs require IPSec to be enabled, they are easily explouted by an attacker sending a specially crafted packet, hence the high score.

The other two critical flaws occur in the on-premises version of Microsoft Dynamics CRM. Both CVE-2022-35805 (CVSS 8.8) and CVE-2022-34700 (CVSS 8.8) are RCE vulnerabilities, and both allow an authenticated user to "run a specially crafted trusted solution package to execute arbitrary SQL commands," Microsoft says.

Elsewhere, Microsoft fixed four glitches in Sharepoint that could be used to steal or alter information.

"Tracked as CVE-2022-35823, CVE-2022-38008, CVE-2022-38009 and CVE-2022-37961, an attacker would, however, need authenticated access with the ability to edit existing content. This kind of vulnerability would likely be abused by an attacker who already has the initial foothold to move laterally across the network," said Breen.

And there were patches for four Microsoft SQL Server bugs, which while carrying a CVSS score of 8.8 are hard to exploit.

"These require some social engineering to exploit, by convincing a user to either connect to a malicious SQL Server or open a maliciously crafted .mdb (Access) file," said Greg Wiseman, Lead Product Manager at Rapid7.