July 2022 Patch Tuesday - Cepheus Solutions Inc.

Microsoft releases 84 vulnerabilities with 4 critical, plus 2 Microsoft Edge (Chromium-Based) patches.

Microsoft has fixed eighty-four vulnerabilities in the July 2022 release, including four vulnerabilities classified as Critical as they allow Remote Code Execution (RCE). This month’s Patch Tuesday cumulative Windows update includes the fix for one (1) actively exploited a zero-day vulnerability CVE-2022-22047. Earlier this month (July 6, 2022), Microsoft released two Microsoft Edge security updates.

Microsoft has fixed several flaws in its software, including Remote Code Execution (RCE), Denial of Service (DoS), Security Feature Bypass, and Tampering, Elevation of Privilege, Microsoft Edge (Chromium-based), and Information Disclosure.

Most of the vulnerabilities patched this month relate to remote code execution, but there are currently no reports of active exploitation except for CVE-2022-22047, a Windows CSRSS elevation of privilege vulnerability. This vulnerability has a CVSSv3.1 score of 7.8/10.

Microsoft Critical Vulnerability Overview

This month’s security advisory covers multiple Microsoft product families, including Microsoft Office, Azure, Browser, ESU, System Center, Microsoft Dynamics, and Windows. Downloads include Monthly Rollup, Security Only, and Security Updates. A total of sixty-three unique Microsoft products/versions are affected.

CVE-2022-22039 | Windows Network File System Remote Code Execution Vulnerability

This vulnerability has a CVSSv3.1 score of 7.5/10.

Successful exploitation of this vulnerability requires an attacker to win a race condition.

This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).

Exploitability AssessmentExploitation Less Likely

CVE-2022-22038 | Remote Procedure Call Runtime Remote Code Execution Vulnerability

This vulnerability has a CVSSv3.1 score of 8.1/10.

Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.

Exploitability AssessmentExploitation Less Likely

CVE-2022-22029 | Windows Network File System Remote Code Execution Vulnerability

This vulnerability has a CVSSv3.1 score of 8.1/10.

This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).

Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.

Exploitability AssessmentExploitation Less Likely

CVE-2022-30221 | Windows Graphics Component Remote Code Execution Vulnerability

This vulnerability has a CVSSv3.1 score of 8.8/10.

An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim’s system in the context of the targeted user.

Windows 7 Service Pack 1 or Windows Server 2008 R2 Service Pack 1 are only affected by this vulnerability if either RDP 8.0 or RDP 8.1 is installed. If you do not have either of these versions of RDP installed on Windows 7 SP1 or Window Server 2008 R2 SP1, then you are not affected by this vulnerability.

Exploitability AssessmentExploitation Less Likely

CVE-2022-22047 | Windows CSRSS Elevation of Privilege Vulnerability

This vulnerability has a CVSSv3.1 score of 7.8/10.

Elevation of Privilege – Important – An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. (Article 5015874)

Exploitability AssessmentExploitation Detected

Finally, earlier this month.

Earlier in July, Microsoft released Microsoft Edge (Chromium-based) vulnerabilities CVE-2022-2294 and CVE-2022-2295. The vulnerability assigned to each of these CVEs is in the Chromium Open Source Software (OSS), which is consumed by Microsoft Edge. It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

https://cepheussolutions.com/wp-content/uploads/2019/08/cs-logo-full-320x60.png
https://cepheussolutions.com/wp-content/uploads/2019/10/cs-logo-footer.png
Subscribe

If you wish to receive our latest news in your email box, just subscribe to our newsletter. We won’t spam you, we promise!

Loading
Cepheus Solutions

Creating, consulting, managing, and maintaining.
We have the services available to help your company succeed.
We are the last technology company you will ever need.

Subscribe

If you wish to receive our latest news in your email box, just subscribe to our newsletter. We won’t spam you, we promise!

Loading
Cepheus Solutions

Creating, consulting, managing, and maintaining.
We have the services available to help your company succeed.
We are the last technology company you will ever need.

Copyright by CEPHEUS SOLUTIONS. All rights reserved.