Microsoft Patch Tuesday for June 2022 — Snort rules and prominent vulnerabilities

By Chetan Raghuprasad.

Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered “moderate.”

The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine.

Microsoft SharePoint server contains a remote code execution vulnerability, CVE-2022-30157, with a severity score of 8.8. To exploit this vulnerability, the attacker must be authenticated and have the correct privileges to create a page on the vulnerable SharePoint server. If a targeted victim clicks on a specific page, it could trigger code remotely on the target server. If the adversary also has access to the server with the sandboxed Code Service enabled, they could execute the code in the context of the web service account.

Two other high-severity vulnerabilities, CVE-2022-30153 and CVE-2022-30161, exist in the Windows Lightweight Directory Access Protocol (LDAP). These issues could lead to remote code execution. An attacker could exploit these vulnerabilities by tricking an authenticated victim on the targeted network to connect to a malicious LDAP server with an LDAP client on the victim’s machine. Then, they must send specially crafted replies to the client that exploits the vulnerability and permits the execution of the arbitrary code within the context of the victim’s LDAP client application.

Another high-severity vulnerability, CVE-2022-30141, in Windows Lightweight Directory Access Protocol (LDAP) is applicable for the users who have set a value higher than the default for MaxReceiveBuffer LDAP policy. The attacker requires preparation in the victim’s environment to exploit this vulnerability, but successful exploitation would result in the attacker’s code running in the context of the SYSTEM account.

Microsoft Kerberos has two high-severity vulnerabilities. One, CVE-2022-30165, is an elevation of privilege vulnerability that affects the Windows servers activated within the Windows Server configured with Remote Credential Guard (RCG) and Credential Security Service Provider (CredSSP) features. An unauthenticated attacker exploiting this vulnerability could elevate privileges and then spoof the Kerberos login process when a Remote Credential Guard (RCG) connection is made via Credential Security Service Provider (CredSSP) over the network.

The other, CVE-2022-30164, is a Kerberos AppContainer Security feature bypass vulnerability where a low-privilege attacker could execute a malicious script within an Application Container to request a service ticket and elevate the service privilege, leading to execute code or access resources at a higher integrity level than that of the Application Container execution environment.

Windows Hyper-V also contains a high-severity vulnerability, CVE-2022-30163, that could lead to remote code execution. An attacker needs to run a specially crafted application on a Hyper-V guest to exploit this vulnerability. A successful attack would allow the attacker to traverse the Hyper-V guest’s security boundary to execute arbitrary code on the Hyper-V host execution environment.

CVE-2022-30160 is another privilege escalation vulnerability that exists in the Windows Advanced Local Procedure Call (ALPC) where an attacker winning a race condition leads to a use-after-free condition in the ALPC of the Windows NT kernel.

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 59967, 59968, 59971 and 59972. There are also Snort 3 rules 300201 and 300202.