Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.
Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its

Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.

Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its Chromium-based Edge browser earlier this month.

"In terms of CVEs released, this Patch Tuesday may appear on the lighter side in comparison to other months," Bharat Jogi, director of vulnerability and threat research at Qualys, said in a statement shared with The Hacker News.

"However, this month hit a sizable milestone for the calendar year, with MSFT having fixed the 1000th CVE of 2022 – likely on track to surpass 2021 which patched 1,200 CVEs in total."

The actively exploited vulnerability in question is CVE-2022-37969 (CVSS score: 7.8), a privilege escalation flaw affecting the Windows Common Log File System (CLFS) Driver, which could be leveraged by an adversary to gain SYSTEM privileges on an already compromised asset.

"An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system," Microsoft said in an advisory.

The tech giant credited four different sets of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which may be an indication of widespread exploitation in the wild, Greg Wiseman, product manager at Rapid7, said in a statement.

CVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 (CVSS score: 7.8), the latter of which was resolved by Microsoft as part of its April 2022 Patch Tuesday updates.

It's not immediately clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Other critical flaws of note are as follows -

*   **CVE-2022-34718** (CVSS score: 9.8) - Windows TCP/IP Remote Code Execution Vulnerability
*   **CVE-2022-34721** (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
*   **CVE-2022-34722** (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
*   **CVE-2022-34700** (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
*   **CVE-2022-35805** (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

"An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation," Microsoft said about CVE-2022-34721 and CVE-2022-34722.

Also resolved by Microsoft are 15 remote code execution flaws in Microsoft ODBC Driver, Microsoft OLE DB Provider for SQL Server, and Microsoft SharePoint Server and five privilege escalation bugs spanning Windows Kerberos and Windows Kernel.

The September release is further notable for patching yet another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38005, CVSS score: 7.8) that could be abused to obtain SYSTEM-level permissions.

Lastly, included in the raft of security updates is a fix released by chipmaker Arm for a speculative execution vulnerability called Branch History Injection or Spectre-BHB (CVE-2022-23960) that came to light earlier this March.

"This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware and in some cases, a recompilation of applications and hardening," Jogi said. "If an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information."

**Software Patches from Other Vendors**

Aside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify dozens of vulnerabilities, including —

*   Adobe
*   Android
*   Apache Projects
*   Apple
*   Cisco
*   Citrix
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   NVIDIA
*   Qualcomm
*   Samba
*   SAP
*   Schneider Electric
*   Siemens
*   Trend Micro
*   VMware, and
*   WordPress (which is dropping support for versions 3.7 through 4.0 starting December 1, 2022)

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's Latest Security Update Fixes 64 New Flaws, Including a Zero-Day

This month's Patch Tuesday offers a little something for everyone, including security updates for a zero-day flaw in Microsoft Windows that is under active attack, and another Windows weakness experts say could be used to power a fast-spreading computer worm. Also, Apple has also quashed a pair of zero-day bugs affecting certain macOS and iOS users, and released iOS 16, which includes a nifty new privacy and security feature called "Lockdown Mode." And Adobe axed 63 vulnerabilities in a range of products.

This month’s Patch Tuesday offers a little something for everyone, including security updates for a zero-day flaw in **Microsoft Windows** that is under active attack, and another Windows weakness experts say could be used to power a fast-spreading computer worm. Also, **Apple** has also quashed a pair of zero-day bugs affecting certain macOS and iOS users, and released **iOS 16**, which offers a new privacy and security feature called “**Lockdown Mode**.” And **Adobe** axed 63 vulnerabilities in a range of products.

Microsoft today released software patches to plug at least 64 security holes in Windows and related products. Worst in terms of outright scariness is CVE-2022-37969, which is a “privilege escalation” weakness in the **Windows Common Log File System Driver** that allows attackers to gain SYSTEM-level privileges on a vulnerable host. Microsoft says this flaw is already being exploited in the wild.

**Kevin Breen**, director of cyber threat research at **Immersive Labs**, said any vulnerability that is actively targeted by attackers in the wild must be put to the top of any patching list.

“Not to be fooled by its relatively low CVSS score of 7.8, privilege escalation vulnerabilities are often highly sought after by cyber attackers,” Breen said. “Once an attacker has managed to gain a foothold on a victim’s system, one of their first actions will be to gain a higher level of permissions, allowing the attacker to disable security applications and any device monitoring. There is no known workaround to date, so patching is the only effective mitigation.”

**Satnam Narang** at **Tenable** said CVE-2022-24521 — a similar vulnerability in the same Windows log file component — was patched earlier this year as part of Microsoft’s April Patch Tuesday release and was also exploited in the wild.

“CVE-2022-37969 was disclosed by several groups, though it’s unclear if CVE-2022-37969 is a patch-bypass for CVE-2022-24521 at this point,” Narang said.

Another vulnerability Microsoft patched this month — CVE-2022-35803 — also seems to be related to the same Windows log file component. While there are no indications CVE-2022-35803 is being actively exploited, Microsoft suggests that exploitation of this flaw is more likely than not.

Trend Micro’s **Dustin Childs** called attention to CVE-2022-34718, a remote code execution flaw in the **Windows TCP/IP** service that could allow an unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction.

“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8,” Childs said. “However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”

**Cisco Talos** warns about four critical vulnerabilities fixed this month — CVE-2022-34721 and CVE-2022-34722 — which have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft.

“These are remote code execution vulnerabilities in the **Windows Internet Key Exchange** protocol that could be triggered if an attacker sends a specially crafted IP packet,” wrote **Jon Munshaw** and **Asheer Malhotra**. “Two other critical vulnerabilities, CVE-2022-35805 and CVE-2022-34700 exist in on-premises instances of **Microsoft Dynamics 365**. An authenticated attacker could exploit these vulnerabilities to run a specially crafted trusted solution package and execute arbitrary SQL commands. The attacker could escalate their privileges further and execute commands as the database owner.”

Not to be outdone, Apple fixed at least two zero-day vulnerabilities when it released updates for iOS, iPadOS, macOS and Safari. CVE-2022-32984 is a problem in the deepest recesses of the operating system (the kernel). Apple pushed an emergency update for a related zero-day last month in CVE-2022-32983, which could be used to foist malware on iPhones, iPads and Macs that visited a booby-trapped website.

Also listed under active attack is **CVE-2022-32817**, which has been fixed on macOS 12.6 (Monterey), macOS 11.7 (Big Sur), iOS 15.7 and iPadOS 15.7, and iOS 16. The same vulnerability was fixed in Apple Watch in July 2022, and credits **Xinru Chi** of Japanese cybersecurity firm **Pangu Lab**.

“Interestingly, this CVE is also listed in the advisory for iOS 16, but it is not called out as being under active exploit for that flavor of the OS,” Trend Micro’s Childs noted. “Apple does state in its iOS 16 advisory that ‘Additional CVE entries to be added soon.’ It’s possible other bugs could also impact this version of the OS. Either way, it’s time to update your Apple devices.”

Apple’s iOS 16 includes two new security and privacy features — Lockdown Mode and Safety Check. **Wired.com** describes Safety Check as a feature for users who are at risk for, or currently experiencing, domestic abuse.

“The tool centralizes a number of controls in one place to make it easier for users to manage and revoke access to their location data and reset privacy-related permissions,” wrote **Lily Hay Newman**.

“Lockdown Mode, on the other hand, is meant for users who potentially face targeted spyware attacks and aggressive state-backed hacking. The feature comprehensively restricts any nonessential iOS features so there are as few potential points of entry to a device as possible. As more governments and repressive entities around the world have begun purchasing powerful commodity spyware to target individuals of particular importance or interest, iOS’s general security defenses haven’t been able to keep pace with these specialized threats.”

To turn on Lockdown Mode in iOS 16, go to **Settings**, then **Privacy and Security**, then **Lockdown Mode**. Safety Check is located in the same area.

Finally, Adobe released seven patches addressing 63 security holes in **Adobe Experience Manager**, **Bridge**, **InDesign**, **Photoshop**, **InCopy**, **Animate**, and **Illustrator**. More on those updates is here.

Don’t forget to back up your data and/or system before applying any security updates. If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

Wormable Flaw, 0days Lead Sept. 2022 Patch Tuesday

CuppaCMS 1.0 is vulnerable to Remote Code Execution (RCE). An authenticated user can control both parameters (action and function) from "/api/index.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-37190: Authenticated Remote Code Execution in CuppaCMS api · Issue #22 · CuppaCMS/CuppaCMS

Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.

CVE-2022-34100: AirMedia Binary Hijack

09/09/22

More information

Threat:

The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a low-privileged user can gain a SYSTEM level command prompt by pre-staging a file structure prior to the installation of a trusted service executable and change permissions on that file structure during a repair operation.

Identifier:

CVE-2022-34100

How is Crestron Affected:

Please update the AirMedia Deployable and Guest Application to version 5.5.1.87 to resolve this issue

CVE-2022-34101: AirMedia Rogue DLL

09/09/22

More information

Threat:

The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can place a malicious DLL in a certain path to execute code and preform a privilege escalation attack.

Identifier:

CVE-2022-34101

How is Crestron Affected:

Please update the AirMedia Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.

CVE-2022-34102: AirMedia Command Prompt Hijack

09/09/22

More information

Threat:

The Lockheed Martin Red Team has discovered a vulnerability found in the AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.

Identifier:

CVE-2022-34102

How is Crestron Affected:

Please update the Air Media Deployable and Guest Applications to version 5.5.1.87 to resolve this issue.

CVE-2022-22707: Lighttpd Denial-of-Service

05/17/22

More information

Threat:

Crestron is aware of an issue affecting lighttpd versions 1.4.46 through 1.4.63. Under certain non-default configurations, an attacker can perform a remote denial of service attack with a stack-based buffer overflow.

Identifier:

CVE-2022-22707

How is Crestron Affected:

Crestron devices are not affected because they do not utilize the vulnerable configurations.

CVE-2022-22965: Spring4Shell

03/31/22

More information

Threat:

This vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

How is Crestron Affected:

Crestron products do not make use of this framework and as such are not vulnerable.

Resources:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement  
 

CVE-2022-23178: Web Interface Credentials in Cleartext

01/24/22

More information

Threat:

Crestron is aware of an issue discovered on Crestron HD-MD4X2-4K-E 1.0.0.2159 devices. When the administrative web interface of the HDMI switcher is accessed unauthenticated, user credentials are disclosed that are valid to authenticate to the web interface. Specifically, aj.html sends a JSON document with uname and upassword fields.

Identifier:

CVE-2022-23178

How is Crestron Affected:

This vulnerability affects the following products:

*   HD-MD4x1-4K-E
*   HD-MD4x2-4K-E
*   HD-MD6x2-4K-E

Crestron recommends placing the devices on an isolated network.  
Note that the following (4KZ) models are NOT affected by this vulnerability and can be used in place of the affected products.

*   HD-MD4x1-4KZ-E
*   HD-MD4x2-4KZ-E
*   HD-MD6x2-4KZ-E

CVE-2018-15473: OpenSSH User Enumeration

01/12/22

More information

Threat:

Crestron is aware of OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.  
 

Identifier:

This vulnerability has been assigned CVE identifier CVE-2018-15473.

How is Crestron Affected:

This vulnerability affects the following products: All 3-Series Control Systems including but not limited to CP3, RMC3, CP3N, PRO3, and all "x52 Series touchscreens" including but not limited to TSW-552, TSW-1052, TSW-752, TSS-752

Crestron 3-Series Control Systems now uses a customized version of OpenSSH. The Crestron version was modified to replace the cryptographic functions with NIST certified alternatives as well as to remove/modify vulnerable components. Crestron continues to monitor OpenSSH vulnerabilities to apply appropriate fixes.

While the TSW and TSS panels noted use OpenSSH 7.5, they don’t support the features related to this vulnerability. Due to these circumstances, Crestron is not susceptible. Newer touchscreens use a later version of OpenSSH which is not susceptible.

Resources:

For more information, please see 3-Series Control System release notes: v.1.601.0050

Apache Log4j

12/15/21

More information

Threat:

From the offiical vulnerability registration: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. It was later found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. 

Identifier:

CVE-2021-44228, CVE-2021-4104, CVE-2021-45046

How is Crestron Affected:

Crestron has completed a review of all its products and services and have found none which use Log4j and therefore none are affected by this vulnerability.

Resources:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046  
 

NUCLEUS:13

11/09/21

More information

Threat:

A set of vulnerabilities related to the Nucleus Operating System were disclosed by Siemens on November 9, 2021. The official report can be found here and the researcher’s findings can be found here.  
These vulnerabilities have been assigned the following CVEs.

*   CVE-2021-31344 - ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network.
*    CVE-2021-31345 - The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol.
*   CVE-2021-31346 - The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory.
*   CVE-2021-31881\- When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions.
*   CVE-2021-31882 - The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions.
*   CVE-2021-31883 - When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions.
*   CVE-2021-31884 - The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions.
*   CVE-2021-31885 - TFTP server application allows for reading the contents of the TFTP memory buffer via sending malformed TFTP commands.
*   CVE-2021-31886 - FTP server does not properly validate the length of the “USER” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
*   CVE-2021-31887 - FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
*   CVE-2021-31888 - FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution.
*   CVE-2021-31889 - Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions.
*   CVE-2021-31890 - The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory.

Identifier:

2021-31885, 2021-31886, 2021-31887, 2021-31888, 2021-31881, 2021-31882, 2021-31883, 2021-31884, 2021-31344, 2021-31345, 2021-31346, 2021-31889, 2021-31890

How is Crestron Affected:

Crestron has reviewed products utilizing Nucleus and has found none of its products to be affected.

For reference, a partial list of Crestron products utilizing Nucleus follows:

*   2-Series Control Processors – most of these products are discontinued with the notable exceptions of the GLPAC and GL-IPAC
*   DM-MD6X4 and DM-MD6X6
*   DMC-CPU-8/16
*   DMPS3-300-C and DMPS3-300-C-AEC - (Used on Internal Components only - no direct network access)
*   SWAMP and related products
*   CEN-TRACK

Resources:

https://www.forescout.com/research-labs/nucleus-13/  
https://www.siemens.com/cert/advisories

direct link to

*   pdf: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf
*   txt: https://cert-portal.siemens.com/productcert/txt/ssa-044112.txt
*   csaf: https://cert-portal.siemens.com/productcert/csaf/ssa-044112.json

ThroughTek's Kalay Platform

08/25/21

More information

Threat:

There is a critical vulnerability that has been discovered that affects the IoT devices that use ThroughTek’s “Kalay” network. Exploiting this vulnerability allows the attacker to listen to live audio, watch real time video data and compromise the credentials on the device for further attacks. This can let the attacker remotely control the device.  
 

Identifier:

This vulnerability has been assigned CVE identifier CVE-2021-28372

How is Crestron Affected:

This vulnerability has no impact on Crestron devices as they do not use the ThroughTek “Kalay” network.  
 

|<  <   **1** 2 3 4 5 6    \>  \>| Pages: 1 of 6

CVE-2022-34102: Crestron Electronics, Inc.

In Microsoft's lightest Patch Tuesday update of the year so far, several security vulnerabilities stand out as must-patch, researchers warn.

Microsoft addressed a pair of important-rated zero-day bugs in its September Patch Tuesday update, including a local privilege-escalation (LPE) that's being actively exploited in the wild. To boot, it disclosed three separate critical vulnerabilities that could be used for worming attacks.

The patches are part of a cache of just 64 fixed vulnerabilities from Microsoft this week, the fewest for any month this year (and almost a 50% decrease from August). The disclosed bugs affect Microsoft Windows and Windows Components; Azure and Azure Arc; .NET, Visual Studio, .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux Kernel.

**A Pair of Zero-Day Vulnerabilities**

The actively exploited vulnerability (CVE-2022-37969, with a CVSS score of 7.8) exists in the Windows Common Log File System Driver, which is a general-purpose logging subsystem first introduced in Windows 2003 R2 OS and which has shipped with all later versions. An exploit for the bug allows an attacker with initial system access to elevate their privilege to SYSTEM privileges on a zero-click basis.

"No other technical details are available, but since the vulnerability has low complexity and requires no user interaction, an exploit will likely soon be in the arsenal of both white hats and black hats," Mike Walters, cybersecurity executive and co-founder of Action1, wrote in an analysis provided to Dark Reading. "It’s recommended that you deploy the patch as soon as possible."

Dustin Childs of Trend Micro's Zero Day Initiative (ZDI) noted that it's likely being deployed in a tidy exploit chain package.

"Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link," he wrote in his Patch Tuesday blog post. "Once they do, additional code executes with elevated privileges to take over a system."

This is one for everyone to patch quickly, he stressed: "Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks."

The other zero-day bug (CVE-2022-23960) exists in Windows 11 for ARM64-based Systems. Microsoft didn't provide any further details, and it was not assigned a CVSS score, but Bharat Jogi, director of vulnerability and threat research at Qualys, offered context in an emailed comment, noting that it's a processor-based speculative execution issue of the sort made infamous with the Spectre and Meltdown attacks. A successful exploit would give attackers access to sensitive information.

"This \[is\] a fix for a vulnerability known as Spectre-BHB that affects ARM64-based systems," he noted. "This vulnerability is a variant of Spectre v2 which has reinvented itself on numerous occasions and has affected various processor architectures since its discovery in 2017."

He added, "This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware, and in some cases, a recompilation of applications and hardening."

**Five Critical Bugs for September**

As mentioned, three of the critical-rated bugs are wormable — i.e., could be used to spread infections from machine to machine with no user interaction.

The most concerning of these is likely CVE-2022-34718, researchers said, which can be found in Windows TCP/IP. It allows a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction; and it can be exploited by sending a specially crafted IPv6 packet to a Windows node where IPsec is enabled.

"That officially puts it into the 'wormable' category and earns it a CVSS rating of 9.8," Childs said. "Definitely test and deploy this update quickly."

It should be noted that it only affects systems with IPv6 enabled and IPsec configured, but this is a common setup.

"If a system doesn’t need the IPsec service, disable it as soon as possible," said Action1's Walters. "This vulnerability can be exploited in supply chain attacks where contractor and customer networks are connected by an IPsec tunnel. If you have IPsec tunnels in your Windows infrastructure, this update is a must-have."

The other two wormable bugs, CVE-2022-34722 and CVE-2022-34721, are both found in Windows Internet Key Exchange (IKE) Protocol Extensions. They both allow RCE by sending a specially crafted IP packet to a target machine that is running Windows and has IPsec enabled, and both carry a CVSS score of 9.8.

Walters noted that the vulnerability impacts only IKEv1 and not IKEv2. "However, all Windows Servers are affected because they accept both V1 and V2 packets," he wrote. "There is no exploit or PoC detected in the wild yet; however, installing the fix is highly advisable."

The final two critical bugs (CVE-2022-34700 and CVE-2022-35805) both exist in Dynamics 365 (On-Premises), and "could allow an authenticated user to perform SQL injection attacks and execute commands as db\_owner within their Dynamics 356 database," Childs explained. They have a CVSS score of 8.8.

**Other Vulnerabilities of Note**

As for noncritical flaws to pay attention to first this month, Childs also flagged a denial-of-service bug in Windows DNS server (CVE-2022-34724, CVSS score of 7.5), which can be exploited by remote, unauthenticated attacker to knock out DNS service used to connect to cloud resources and websites.

While there's no chance of code execution, the bug should be treated as critical, he added. "With so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises," Childs said.

Rapid7's Patch Tuesday analysis this month, sent via email, also noted that SharePoint administrators should also be aware of four separate RCE bugs, all rated important (CVE-2022-35823, CVE-2022-37961, CVE-2022-38008, and CVE-2022-38009).

And there's a large swath of RCE bugs affecting OLE DB Provider for SQL Server and the Microsoft ODBC Driver (CVE-2022-34731; CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, and CVE-2022-35840).

"These require some social engineering to exploit, by convincing a user to either connect to a malicious SQL Server or open a maliciously crafted .mdb (Access) file," Greg Wiseman, product manager at Rapid7, explained in the analysis.

Overall, administrators should have an easier time parsing the lighter patch load this month, but ZDI's Childs noted that the smaller collection is in line with the volume of patches from previous September releases. Qualys' Jogi also pointed out that while September's Patch Tuesday clocks in on the lighter side, Microsoft hit a milestone of fixing the 1,000th CVE of the year, meaning the software giant is "likely on track to surpass 2021, which patched 1,200 CVEs in total."

Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs

In the SEPolicy configuration of system apps, there is a possible access to the 'ip' utility due to an insecure default value. This could lead to local information disclosure of network data with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-219808546References: Upstream kernel

_Published September 6, 2022 Updated September 9, 2022_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-09-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. We will revise this bulletin with the AOSP links when they are available.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2022-09-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-09-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Android runtime**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-22822

A-219942275

EoP

High

10, 11, 12, 12L

CVE-2022-23852

A-221255869

EoP

High

10, 11, 12, 12L

CVE-2022-23990

A-221256678

EoP

High

10, 11, 12, 12L

CVE-2022-25314

A-221384482

EoP

High

10, 11, 12, 12L

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20218

A-223907044

EoP

High

12, 12L

CVE-2022-20392

A-213323615 \[2\]

EoP

High

10, 11, 12, 12L

CVE-2022-20393

A-233735886

ID

High

11, 12, 12L

CVE-2022-20197

A-208279300

EoP

Moderate

10, 11, 12, 12L

**System**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-20395

A-221855295

EoP

High

11, 12, 12L, 13

CVE-2022-20398

A-221859734

EoP

High

13

CVE-2022-20396

A-234440688

ID

High

12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Component

CVE

Permission Controller, Permission Controller

CVE-2022-20218

MediaProvider

CVE-2022-20395

WiFi

CVE-2022-20398

**2022-09-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2022-09-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local information disclosure of network data with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2022-20399

A-219808546  
Upstream kernel

ID

High

SELinux

**Kernel components**

The most severe vulnerability in this section could lead to local escalation of privilege in system libraries with no additional execution privileges needed.

    

CVE

References

Type

Severity

Component

CVE-2021-4083

A-216408350  
Upstream kernel

EoP

High

Kernel

CVE-2022-29582

A-231494876  
Upstream kernel

EoP

High

fs

**Imagination Technologies**

These vulnerabilities affect Imagination Technologies components and further details are available directly from Imagination Technologies. The severity assessment of these issues is provided directly by Imagination Technologies.

   

CVE

References

Severity

Component

CVE-2021-0697

A-238918403\*

High

PowerVR-GPU

CVE-2021-0942

A-238904312\*

High

PowerVR-GPU

CVE-2021-0943

A-238916921\*

High

PowerVR-GPU

CVE-2021-0871

A-238921253\*

High

PowerVR-GPU

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

   

CVE

References

Severity

Component

CVE-2022-26447

A-237956326  
M-ALPS06784478\*

High

BT firmware

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

   

CVE

References

Severity

Component

CVE-2022-20385

A-238379819  
U-1903041\*

High

kernel

CVE-2022-20386

A-238227328  
U-1903099\*

High

Android

CVE-2022-20387

A-238227324  
U-1872920\*

High

Android

CVE-2022-20388

A-238227323  
U-1872920\*

High

Android

CVE-2022-20389

A-238257004  
U-1872920\*

High

Android

CVE-2022-20390

A-238257002  
U-1872920\*

High

Android

CVE-2022-20391

A-238257000  
U-1872920\*

High

Andorid

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-22095

A-223210037  
QC-CR#3168780  
QC-CR#3088894

High

Kernel

CVE-2022-25656

A-228101796  
QC-CR#3119439 \[2\]  
QC-CR#2998082 \[2\]

High

Kernel

CVE-2022-25670

A-235102548  
QC-CR#3104235

High

WLAN

CVE-2022-25693

A-235102897  
QC-CR#3141474

High

Display

CVE-2022-25704

A-235102694  
QC-CR#3155069 \[2\]

High

Bluetooth

CVE-2022-25706

A-235102901  
QC-CR#3155132

High

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

   

CVE

References

Severity

Component

CVE-2022-25708

A-235102756\*

Critical

Closed-source component

CVE-2022-22066

A-223209292\*

High

Closed-source component

CVE-2022-22074

A-235102567\*

High

Closed-source component

CVE-2022-22081

A-235102758\*

High

Closed-source component

CVE-2022-22089

A-235102568\*

High

Closed-source component

CVE-2022-22091

A-223209291\*

High

Closed-source component

CVE-2022-22092

A-223211216\*

High

Closed-source component

CVE-2022-22093

A-223209815\*

High

Closed-source component

CVE-2022-22094

A-223210036\*

High

Closed-source component

CVE-2022-25669

A-235102508\*

High

Closed-source component

CVE-2022-25686

A-235102899\*

High

Closed-source component

CVE-2022-25688

A-235102421\*

High

Closed-source component

CVE-2022-25690

A-235102422\*

High

Closed-source component

CVE-2022-25696

A-235102900\*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2022-09-01 or later address all issues associated with the 2022-09-01 security patch level.
*   Security patch levels of 2022-09-05 or later address all issues associated with the 2022-09-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2022-09-01\]
*   \[ro.build.version.security\_patch\]:\[2022-09-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2022-09-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2022-09-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2022-09-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

September 6, 2022

Bulletin Published

1.1

September 9, 2022

Bulletin revised to include AOSP links  
Revised CVE Table

CVE-2022-20399: Android Security Bulletin—September 2022  |  Android Open Source Project

Microsoft SharePoint Remote Code Execution Vulnerability.

CVE-2022-35823

Microsoft Office Visio Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-38010.

CVE-2022-37963

Microsoft PowerPoint Remote Code Execution Vulnerability.

CVE-2022-37962

AV1 Video Extension Remote Code Execution Vulnerability.

Tag

#rce