June 14, 2022 Patch Tuesday

June 6, 20220

Patch Tuesday, June 14, 2022

Microsoft has published fifty-five security vulnerability fixes that address Remote Code Execution (RCE) and several other critical issues that have been identified.

This month’s Patch Tuesday addresses Use-After-Free issues, information leaks, out-of-bounds memory access, RCE vulnerabilities, and Elevation of Privilege or “EoP..” These issues affect the following product lines Azure, Hyper-V Server, Microsoft Office, Windows Defender, and Windows Operating Systems.

This month’s patch deployment

Patches released this month include three “critical” patches, one “moderate,” and the rest are “important.” Many vulnerabilities patched this month relate to remote code execution, but Microsoft states that there are no reports of active exploitation in the wild, with the exception of an update to CVE-2022-30190, a Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability published public in May.

Some of the most critical vulnerabilities patched in this update release are:

  • CVE-2022-30139: CVSS 7.5, A Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability but only if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value.
  • CVE-2022-30136: CVSS 9.8, Windows Network File System RCE vulnerability. Attackers need to make an unauthenticated, crafted call to a Network File System (NFS) service to trigger the bug.
  • CVE-2022-30163: CVSS 8.5, A Windows Hyper-V RCE vulnerability exploitable through a specially crafted application on a Hyper-V guest session.
  • CVE-2022-30164: CVSS 8.4, Kerberos AppContainer security feature bypass. It was possible to circumvent the service ticketing feature which performs user access control checks.
  • CVE-2022-30157: CVSS 8.8, Microsoft SharePoint Server RCE vulnerability. Attackers must be authenticated and have page creation permissions,
  • CVE-2022-30165: CVSS 8.8, Windows Kerberos EoP security flaw. It was possible to spoof the Kerberos log-on process when a remote credential guard connection was made via CredSSP.

Zero Day Initiative (ZDI), has noted that this is the first patch release that has not featured updates for the Print Spooler in some time.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

https://i0.wp.com/cepheussolutions.com/wp-content/uploads/2019/08/cs-logo-full.png?resize=320%2C60&ssl=1
https://i0.wp.com/cepheussolutions.com/wp-content/uploads/2019/10/cs-logo-footer.png?fit=500%2C93&ssl=1
Subscribe

If you wish to receive our latest news in your email box, just subscribe to our newsletter. We won’t spam you, we promise!

Loading
Cepheus Solutions

Creating, consulting, managing, and maintaining.
We have the services available to help your company succeed.
We are the last technology company you will ever need.

Subscribe

If you wish to receive our latest news in your email box, just subscribe to our newsletter. We won’t spam you, we promise!

Loading
Cepheus Solutions

Creating, consulting, managing, and maintaining.
We have the services available to help your company succeed.
We are the last technology company you will ever need.

Copyright by CEPHEUS SOLUTIONS. All rights reserved.