Microsoft released patches to fix 63 vulnerabilities on September 2022 Patch Tuesday, 5 of which have been rated critical, including one zero-day vulnerability affecting Windows that is being actively exploited in the wild. A second zero-day vulnerability has been publicly disclosed but has been rated important with Microsoft believing exploitation is less likely.
The actively exploited zero-day is tracked as CVE-2022-37969, has a CVSS severity score of 7.8/10, and affects all Windows versions. The flaw is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver. In order to exploit the flaw, an attacker would need to have access to a targeted system and have the ability to run code. Successful exploitation of the flaw would allow a malicious actor to elevate privileges to SYSTEM. The vulnerability was identified by researchers at DBAPPSecurity, Mandiant, CrowdStrike, and Zscaler. No information was provided on the extent to which the vulnerability has been exploited.
The second zero-day vulnerability is tracked as CVE-2022-23960 and is a Cache Speculation Restriction vulnerability, and affects Windows 11 for ARM64-based Systems and is rated important. No CVSS score has been assigned.
The critical vulnerabilities range in severity from 8.8 to 9.8 and all are remote code execution vulnerabilities. They affect Microsoft Dynamics 365 (on-premises), Windows Internet Key Exchange, and Windows TCP/IP.
CVE-2022-34721 & CVE-2022-34722 – CVSS 9.8
Two RCE vulnerabilities in the Windows Internet Key Exchange (IKE) Protocol which could be exploited remotely by an unauthenticated attacker by sending a specially crafted packet to the targeted machine. The flaws can only be exploited if IPSec is enabled.
CVE-2022-34718 – CVSS 9.8
An RCE vulnerability in Windows TCP/IP allowing an unauthenticated attacker to execute code on the targeted system with elevated privileges without any user interaction. The flaw only affects systems with IPv6 enabled and IPSec configured. The flaw is potentially wormable.
CVE-2022-34700 & CVE-2022-35805 – CVSS 8.8
Two RCE vulnerabilities affecting Microsoft Dynamics 365 (on-premises) that could be exploited by authenticated users to run a specially crafted trusted solution package to execute arbitrary SQL commands.
While not rated critical since code execution cannot be achieved, the Windows DNS Server vulnerability CVE-2022-34724 should be prioritized. An unauthenticated attacker could exploit the vulnerability in a denial-of-service attack on the DNS server, which would prevent access to the Internet and cloud resources.
Adobe Releases Patches for 7 Products
September 2022 Patch Tuesday has seen Adobe release patches to fix vulnerabilities in 7 of its products: Experience Manager (11 fixes; 0 critical), Adobe Bridge (12 fixes; 10 critical), InDesign (18 fixes; 8 critical), Photoshop (10 fixes; 9 critical), InCopy (7 fixes; 5 critical), Animate (2 fixes; both critical), and Illustrator (3 fixes; 1 critical). All have been given a priority rating of 3.