August 2022 Patch Tuesday: MSDT update fixes zero-day DogWalk and Exchange
By Lewis Pope
August brings fixes for a longstanding Microsoft Support Diagnostics Tool bug, a long list of Critical and Exploitation More Likely vulnerabilities, along with an Exchange Server zero-day. This is a lot for defenders to digest, but the good news is timely application of security updates and following the instructions provided by Microsoft should make short work of this month’s two zero-days. This hopefully brings an end to the DogWalk vulnerability and similar issues being a challenge to mitigate now that Microsoft has provided a fix rather than workaround guidance.
Microsoft Vulnerabilities Addressed
This Patch Tuesday brings an increase in the total number of fixes from the previous month and is one of the highest counts for the year—121 different vulnerabilities have been addressed with two more receiving updates for previous fixes. CVE-2022-26832 and CVE-2022-30130 have both received version updates, with Microsoft also recommending the application of KB5016268.
These vulnerabilities are rated as Low and Important, so they aren’t going to be on many priority lists, but they do highlight that dealing with vulnerabilities is a continuous effort. Fixes applied to deal with a vulnerability may need tweaking as the vulnerability becomes better understood. It’s not impossible to see the same vulnerability receive multiple fixes over an extended period—another reason why having established processes and automated patching in place is so important.
There are also two MSDT-related fixes in this Patch Tuesday release: CVE-2022-35743 and CVE-2022-34713. When it was originally discovered two years ago, the MSDT vulnerability now referred to as DogWalk was considered a won’t fix item by Microsoft. However, the Follina vulnerability from last month put the spotlight back on these previous MSDT vulnerabilities and this has resulted in fixes being issued this month. Combine the fact that CVE-2022-34713 is marked as Exploitation Detected, CVE-2022-35743 is Exploitation More Likely, and the large install base, basically every modern Windows OS should be putting these toward the top of priority lists.
The Exchange zero-day, CVE-2022-30134, is marked as Exploitation Unlikely with no publicly available proof of concept attack and designated as Important severity. What the vulnerability allows though—for an attacker to read emails—should raise it toward the top of any Exchange admins to-do list regardless of the likelihood of exploitation.
Microsoft Patch Tuesday Vulnerability Prioritization
CVE-2022-30134, CVE-2022-35743, and CVE-2022-34713 are some of the Windows vulnerabilities to prioritize this month. As always, it is important to not just prioritize vulnerabilities based on their severity but also their exploitation likelihood and the impact exploitation of the vulnerability will have on an environment. Vulnerabilities marked as Exploitation More Likely and Exploitation Detected are as important, and some may say even more important, to address quickly due to their increased likelihood to cause actual impacts to an environment. These CVEs from Microsoft should be top of the list as they are all marked as Exploitation More Likely, Exploitation Detected, or Critical.
|
CVE |
Description |
Exploitability |
Severity |
|||
|
Azure Batch Node Agent Elevation of Privilege Vulnerability |
Exploitation More Likely |
Critical |
||||
|
Windows Partition Management Driver Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
||||
|
Windows Win32k Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
||||
|
Windows Partition Management Driver Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
||||
|
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability |
Exploitation More Likely |
Important |
||||
|
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability |
Exploitation More Likely |
Important |
||||
|
HTTP.sys Denial of Service Vulnerability |
Exploitation More Likely |
Important |
||||
|
Win32k Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
||||
|
Windows Hyper-V Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
||||
|
Windows Print Spooler Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
||||
|
CVE-2022-35756 |
Windows Kerberos Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|||
|
CVE-2022-35761 |
Windows Kernel Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|||
|
CVE-2022-34303 |
CERT/CC: CVE-20220-34303 Crypto Pro Boot Loader Bypass |
Exploitation More Likely |
Important |
|||
|
CERT/CC: CVE-2022-34301 Eurosoft Boot Loader Bypass |
Exploitation More Likely |
Important |
||||
|
SMB Client and Server Remote Code Execution Vulnerability |
Exploitation More Likely |
Critical |
||||
|
Microsoft Exchange Server Elevation of Privilege Vulnerability |
Exploitation More Likely |
Critical |
||||
|
Microsoft Exchange Server Elevation of Privilege Vulnerability |
Exploitation More Likely |
Critical |
||||
|
Microsoft Exchange Server Elevation of Privilege Vulnerability |
Exploitation More Likely |
Critical |
||||
|
CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader Bypass |
Exploitation More Likely |
Important |
||||
|
Windows Print Spooler Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
||||
|
Windows Bluetooth Driver Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
||||
|
CVE-2022-34691 |
Active Directory Domain Services Elevation of Privilege Vulnerability |
Exploitation Less Likely |
Critical |
|||
|
Microsoft Exchange Server Elevation of Privilege Vulnerability |
Exploitation More Likely |
Critical |
||||
|
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
||||
|
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
||||
|
Windows Hyper-V Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
||||
|
Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
||||
|
Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
||||
|
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
||||
|
CVE-2022-35766 |
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
|||
|
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
||||
|
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
||||
|
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
||||
|
Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
Cumulative Updates
The cumulative updates KB5016616, KB5016623, KB5016622, and KB5016639 were released for various builds of Windows 10 and KB5016629 for Windows 11 as well this month. Containing the usual rollup of fixes from previous months and new features there is not much to highlight with CUs this month.
Known Complications of Note
There are no major complications being reported as of this blog being published. It is worth highlighting though that the Exchange vulnerabilities being addressed this month has additional guidance by Microsoft detailing the need to manually enable Windows Extended Protection to block exploitation.
Other Vendors
VMware released fixes for CVE-2022-31656 and CVE-2022-31659 in recent weeks. With exploit code already available for one and PoCs likely coming soon, any VMware admins should be ensuring updates are applied and that plans to replace EOS versions of VMware is an action item.
Summary
As always make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected, and Exploitation More Likely vulnerabilities in your Patch Management routines.
Looking for more information on the Patch Management section? Check out this section on our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.
Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.
N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.