Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Patch Tuesday for July 2022 — Snort rules and prominent vulnerabilities

By Jon Munshaw and Tiago Pereira. Microsoft released its monthly security update Tuesday, disclosing more than 80 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. July’s security update…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

TALOS
#vulnerability#windows#microsoft#cisco#rce#auth

By Jon Munshaw and Tiago Pereira.

Microsoft released its monthly security update Tuesday, disclosing more than 80 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild.

July’s security update features three critical vulnerabilities, up from one last month, still lower than Microsoft’s average in a Patch Tuesday. All the other vulnerabilities fixed are considered “important.”

All three critical vulnerabilities allow remote code execution on Microsoft Windows Systems. Of these, Microsoft considers the exploitation of CVE-2022-22029, CVE-2022-22038 and CVE-2022-22039 less likely to occur.

CVE-2022-22029 could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS). However, according to Microsoft, it has high attack complexity and would require repeated exploitation attempts through sending constant or intermittent data.

Another critical vulnerability, CVE-2022-22038, is also considered to be more difficult to exploit because it requires undisclosed additional actions by an attacker to prepare the target environment for exploitation.

CVE-2022-22039 iss another remote code execution flaw in Windows Network File System that requires an attacker to win a race condition to exploit it, making this vulnerability less likely to be exploited.

Microsoft Azure Batch Node Agent contains a remote code execution vulnerability: CVE-2022-33646. Microsoft considers this more likely to be exploited. However, the attack vector is identified as Local, which reduces its severity. It is worth mentioning that mitigating this vulnerability requires that a user follows the best practices advised by Microsoft and periodically resizes the azure node pools to zero to force the Agent to be updated to the latest version.

Of the vulnerabilities considered “important” and not critical, CVE-2022-22047 is worth special notice, as it is a local privilege escalation vulnerability reported as being actively exploited in the wild.

Talos would also like to highlight six important vulnerabilities that Microsoft considers to be “more likely” to be exploited:

  • CVE-2022-30202 — Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability
  • CVE-2022-30215 — Active Directory Federation Services Elevation of Privilege Vulnerability
  • CVE-2022-30216 — Windows Server Service Tampering Vulnerability
  • CVE-2022-30220 — Windows Common Log File System Driver Elevation of Privilege Vulnerability
  • CVE-2022-22034 — Windows Graphics Component Elevation of Privilege Vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are 60191, 60192, 60198, 60199, 60201, 60202, 60206, 60207, 60213 and 60214. Additionally, users can deploy Snort 3 rules 300215 and 300216.

Related news

CVE-2022-36957: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched

The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.

Windows Vulnerability Could Crack DC Server Credentials Open

The security flaw tracked as CVE-2022-30216 could allow attackers to perform server spoofing or trigger authentication coercion on the victim.

CVE-2022-33646

Azure Batch Node Agent Elevation of Privilege Vulnerability

CVE-2022-33646

Azure Batch Node Agent Elevation of Privilege Vulnerability.

Apple Just Patched 37 iPhone Security Bugs

Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.

Microsoft Uncovers Austrian Company Exploiting Windows and Adobe Zero-Day Exploits

A cyber mercenary that "ostensibly sells general security and information analysis services to commercial customers" used several Windows and Adobe zero-day exploits in limited and highly-targeted attacks against European and Central American entities. The company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called DSIRF that's linked to the

Microsoft Patch Tuesday July 2022: propaganda report, CSRSS EoP, RPC RCE, Edge, Azure Site Recovery

Hello everyone! Microsoft has been acting weird lately. I mean the recent publication of a propaganda report about evil Russians and how Microsoft is involved in the conflict between countries. It wouldn’t be unusual for a US government agency, NSA or CIA to publish such a report. But when a global IT vendor, which, in […]

Threat Source newsletter (July 21, 2022) — No topic is safe from being targeted by fake news and disinformation

By Jon Munshaw.  Welcome to this week’s edition of the Threat Source newsletter.  I could spend time in this newsletter every week talking about fake news. There are always so many ridiculous memes, headlines, misleading stories, viral Facebook posts and manipulated media that I see come across my Instagram feed or via my wife when she shows me TikToks she favorited.  One recent event, though, was so crushing to me that I had to call it out specifically. Former Japanese Prime Minister Shinzo Abe was assassinated earlier this month while making a campaign speech in public. This was a horrible tragedy marking the death of a powerful politician in one of the world’s most influential countries. It was the top story in the world for several days and was even more shocking given Japan’s strict gun laws and the relative infrequency of any global leaders being the target of violence.  It took no time for the internet at large to take this tragedy and immediately try to spin it to the...

CISA Urges Patch of Exploited Windows 11 Bug by Aug. 2

Feds urge U.S. agencies to patch a Microsoft July Patch Tuesday 2022 bug that is being exploited in the wild by August 2.

Update now—July Patch Tuesday patches include fix for exploited zero-day

July's Patch Tuesday gives us a lot of important security updates. Most prominently, a known to be exploited vulnerability in Windows CSRSS. The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one

Microsoft Patch Tuesday, July 2022 Edition

Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.

CVE-2022-30202

Windows Advanced Local Procedure Call Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22037, CVE-2022-30224.

CVE-2022-30216

Windows Server Service Tampering Vulnerability.

CVE-2022-30220

Windows Common Log File System Driver Elevation of Privilege Vulnerability.

CVE-2022-22029

Windows Network File System Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22039.

CVE-2022-22034

Windows Graphics Component Elevation of Privilege Vulnerability.

CVE-2022-22038

Remote Procedure Call Runtime Remote Code Execution Vulnerability.

CVE-2022-22039

Windows Network File System Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-22029.

CVE-2022-22047

Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22049.

CVE-2022-30215

Active Directory Federation Services Elevation of Privilege Vulnerability.

Microsoft Issues Fixes for 84 Vulnerabilities: Here's What to Patch Now

July's security update included fixes for one actively exploited flaw, more than 30 bugs in Azure Site Recovery, and four privilege escalation bugs in Windows Print Spooler.

TALOS: Latest News

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on