Patch Tuesday, June 14, 2022
Microsoft has published fifty-five security vulnerability fixes that address Remote Code Execution (RCE) and several other critical issues that have been identified.
This month’s Patch Tuesday addresses Use-After-Free issues, information leaks, out-of-bounds memory access, RCE vulnerabilities, and Elevation of Privilege or “EoP..” These issues affect the following product lines Azure, Hyper-V Server, Microsoft Office, Windows Defender, and Windows Operating Systems.
This month’s patch deployment
Patches released this month include three “critical” patches, one “moderate,” and the rest are “important.” Many vulnerabilities patched this month relate to remote code execution, but Microsoft states that there are no reports of active exploitation in the wild, with the exception of an update to CVE-2022-30190, a Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability published public in May.
Some of the most critical vulnerabilities patched in this update release are:
- CVE-2022-30139: CVSS 7.5, A Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability but only if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.
- CVE-2022-30136: CVSS 9.8, Windows Network File System RCE vulnerability. Attackers need to make an unauthenticated, crafted call to a Network File System (NFS) service to trigger the bug.
- CVE-2022-30163: CVSS 8.5, A Windows Hyper-V RCE vulnerability exploitable through a specially crafted application on a Hyper-V guest session.
- CVE-2022-30164: CVSS 8.4, Kerberos AppContainer security feature bypass. It was possible to circumvent the service ticketing feature which performs user access control checks.
- CVE-2022-30157: CVSS 8.8, Microsoft SharePoint Server RCE vulnerability. Attackers must be authenticated and have page creation permissions,
- CVE-2022-30165: CVSS 8.8, Windows Kerberos EoP security flaw. It was possible to spoof the Kerberos log-on process when a remote credential guard connection was made via CredSSP.
Zero Day Initiative (ZDI), has noted that this is the first patch release that has not featured updates for the Print Spooler in some time.