Microsoft released its latest security update Tuesday, disclosing more than 140 vulnerabilities across its array of products. This is a departure from past Patch Tuesdays this year, which have only featured a few dozen vulnerabilities, and is the largest amount of issues in a single Patch Tuesday since September 2020.
Ten of these vulnerabilities are considered to be “critical,” while three others are listed as being of “moderate” severity and the remainder are considered “important.” There are also nine vulnerabilities that were first found in the Chromium web browser but affect Microsoft Edge, since it’s a Chromium-based browser. Edge users do not need to take any action to patch for these issues.
Windows Hyper-V contains three of the critical vulnerabilities patched this month — CVE-2022-23257, CVE-2022-24537 and CVE-2022-22008 — that could lead to remote code execution. An attacker would need to open a specially crafted file. Then, the attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code.
There are also two critical remote code execution vulnerabilities in the Windows Network File System: CVE-2022-24491 and CVE-2022-24497. These issues are only exploitable on Windows Server systems that have the NFS role enabled.
CVE-2022-24500 is another critical remote code execution vulnerability that exists in Windows SMB. An adversary could trigger this vulnerability by tricking a user into visiting a malicious SMB server to retrieve data as part of an API call. In addition to installing Microsoft’s patch, affected users could also mitigate this issue by blocking TCP port 445 at the enterprise perimeter firewall or blocking SMB traffic from making lateral connections or from entering or leaving the network.
Talos also would like to highlight CVE-2022-26919, a critical vulnerability in the LDAP protocol that could allow an attacker to execute arbitrary code on the targeted machine. The adversary would need to be logged into the targeted domain with authenticated credentials. This vulnerability can also only be exploited if an administrator increased the default MaxReceiveBuffer LDAP setting on the targeted machine.
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 59497, 59498, 59511, 59512, 59519 - 59526, 59529 and 59530 - 59535.