SANS ISC: Microsoft March 2022 Patch Tuesday - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

This month we got patches for 92 vulnerabilities. Of these, 3 are critical, 3 were previously disclosed, and one is already being exploited according to Microsoft.

Among critical vulnerabilities, there is a remote code execution (RCE) affecting Microsoft Exchange Server (CVE-2022-23277). According to the advisory, to exploit this vulnerability the attacker, as an authenticated user, could attempt to trigger malicious code in the context of the server's account through a network call. The CVSS for this vulnerability is 8.8 - the highest for this month.

The other two critical vulnerabilities are related to RCE vulnerabilities affecting  HEVC (CVE-2022-22006) and VP9 (CVE-2022-24501) video extensions. For both vulnerabilities, an attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. The CVSS is the same for both as well: 7.8.

Now talking about the previously disclosed vulnerabilities, all three were rated as 'important'. One of them (CVE-2022-21990) is an RCE affecting Remote Desktop Client with a CVSS of 8.8 and rated as 'More likely' to be exploited in the security advisory. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.

The second is an elevation of privilege vulnerability affecting Windows Fax and Scan Service (CVE-2022-24459) with a CVSS of 7.8 and the third is an RCE on .Net and Visual Studio with a CVSS of 6.3.

Among important vulnerabilities, there is an RCE affecting Windows Event Tracing (CVE-2022-23294). The advisory says: "an attacker with non-admin credentials can potentially carry out an exploit using this vulnerability. The authenticated attacker could potentially take advantage of this vulnerability to execute malicious code through the Event Log's Remote Procedure Call (RPC) endpoint on the server-side". About mitigation factors related to this vulnerability, the advisory says: "Access to the Event Log service endpoint is blocked by default and a firewall rule change is required to make the endpoint accessible from a locally triggered attack.".

See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com/

March 2022 Security Updates

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter