This month’s Patch Tuesday release includes fixes for 84 CVEs — four that are rated critical, 79 rated important and one rated as unknown. Satnam Narang, Sr. Staff Research Engineer, Tenable shares his thoughts below.
“Microsoft patched CVE-2022-22047, an elevation of privilege vulnerability in the Windows Client Server Run-Time Subsystem (CSRSS). The flaw was assigned a CVSSv3 score of 7.8 and is rated important. According to Microsoft, this vulnerability has been exploited in the wild, though no details were available at the time patches became available. Elevation of Privilege flaws are valuable for attackers that have already gained access to a vulnerable system with limited privileges through other means, including social engineering or exploitation of a separate vulnerability. They could potentially gain administrative privileges by running a specially crafted application that exploits this flaw.
“This month’s release also contains fixes for four separate elevation of privilege vulnerabilities in Windows Print Spooler, identified as CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226. We have seen a steady stream of vulnerability disclosures in the Print Spooler Service since the original PrintNightmare flaws were disclosed in June (CVE-2021-1675) and early July of 2021 (CVE-2021-34527) as researchers continue to identify flaws in the service. These four flaws are elevation of privilege vulnerabilities, which provide attackers with the ability to delete files or gain SYSTEM privileges on a vulnerable system.
“Microsoft also patched several vulnerabilities in its Azure Site Recovery, a disaster recovery service. These include CVE-2022-33675, an elevation of privilege flaw that was discovered by Tenable researcher Jimi Sebree. The flaw exists in Azure Site Recovery due to a directory permission error that could allow an attacker to leverage DLL hijacking to elevate privileges to SYSTEM. More details about this discovery can be found on the Tenable Techblog.”– Satnam Narang, Sr. Staff Research Engineer, Tenable.