Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: Microsoft March 2022 Patch Tuesday - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft March 2022 Patch Tuesday

This month we got patches for 92 vulnerabilities. Of these, 3 are critical, 3 were previously disclosed, and one is already being exploited according to Microsoft.

Among critical vulnerabilities, there is a remote code execution (RCE) affecting Microsoft Exchange Server (CVE-2022-23277). According to the advisory, to exploit this vulnerability the attacker, as an authenticated user, could attempt to trigger malicious code in the context of the server's account through a network call. The CVSS for this vulnerability is 8.8 - the highest for this month.

The other two critical vulnerabilities are related to RCE vulnerabilities affecting  HEVC (CVE-2022-22006) and VP9 (CVE-2022-24501) video extensions. For both vulnerabilities, an attacker could exploit the vulnerability by convincing a victim to download and open a specially crafted file which could lead to a crash. The CVSS is the same for both as well: 7.8.

Now talking about the previously disclosed vulnerabilities, all three were rated as 'important'. One of them (CVE-2022-21990) is an RCE affecting Remote Desktop Client with a CVSS of 8.8 and rated as 'More likely' to be exploited in the security advisory. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.

The second is an elevation of privilege vulnerability affecting Windows Fax and Scan Service (CVE-2022-24459) with a CVSS of 7.8 and the third is an RCE on .Net and Visual Studio with a CVSS of 6.3.

Among important vulnerabilities, there is an RCE affecting Windows Event Tracing (CVE-2022-23294). The advisory says: "an attacker with non-admin credentials can potentially carry out an exploit using this vulnerability. The authenticated attacker could potentially take advantage of this vulnerability to execute malicious code through the Event Log's Remote Procedure Call (RPC) endpoint on the server-side". About mitigation factors related to this vulnerability, the advisory says: "Access to the Event Log service endpoint is blocked by default and a firewall rule change is required to make the endpoint accessible from a locally triggered attack.".

See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com/

March 2022 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET and Visual Studio Denial of Service Vulnerability
CVE-2022-24464 No No Less Likely Less Likely Important 7.5 6.5
.NET and Visual Studio Remote Code Execution Vulnerability
CVE-2022-24512 Yes No Less Likely Less Likely Important 6.3 5.5
Azure Site Recovery Elevation of Privilege Vulnerability
CVE-2022-24506 No No Less Likely Less Likely Important 6.5 5.7
CVE-2022-24515 No No Less Likely Less Likely Important 6.5 5.7
CVE-2022-24469 No No Less Likely Less Likely Important 8.1 7.1
CVE-2022-24518 No No Less Likely Less Likely Important 6.5 5.7
CVE-2022-24519 No No Less Likely Less Likely Important 6.5 5.7
Azure Site Recovery Remote Code Execution Vulnerability
CVE-2022-24467 No No Less Likely Less Likely Important 7.2 6.3
CVE-2022-24468 No No Less Likely Less Likely Important 7.2 6.3
CVE-2022-24517 No No Less Likely Less Likely Important 7.2 6.3
CVE-2022-24470 No No Less Likely Less Likely Important 7.2 6.3
CVE-2022-24471 No No Less Likely Less Likely Important 7.2 6.3
CVE-2022-24520 No No Less Likely Less Likely Important 7.2 6.3
Brotli Library Buffer Overflow Vulnerability
CVE-2020-8927 No No Less Likely Less Likely Important 6.5 5.7
Chromium: CVE-2022-0789 Heap buffer overflow in ANGLE
CVE-2022-0789 No No - - -    
Chromium: CVE-2022-0790 Use after free in Cast UI
CVE-2022-0790 No No - - -    
Chromium: CVE-2022-0791 Use after free in Omnibox
CVE-2022-0791 No No - - -    
Chromium: CVE-2022-0792 Out of bounds read in ANGLE
CVE-2022-0792 No No - - -    
Chromium: CVE-2022-0793 Use after free in Views
CVE-2022-0793 No No - - -    
Chromium: CVE-2022-0794 Use after free in WebShare
CVE-2022-0794 No No - - -    
Chromium: CVE-2022-0795 Type Confusion in Blink Layout
CVE-2022-0795 No No - - -    
Chromium: CVE-2022-0796 Use after free in Media
CVE-2022-0796 No No - - -    
Chromium: CVE-2022-0797 Out of bounds memory access in Mojo
CVE-2022-0797 No No - - -    
Chromium: CVE-2022-0798 Use after free in MediaStream
CVE-2022-0798 No No - - -    
Chromium: CVE-2022-0799 Insufficient policy enforcement in Installer
CVE-2022-0799 No No - - -    
Chromium: CVE-2022-0800 Heap buffer overflow in Cast UI
CVE-2022-0800 No No - - -    
Chromium: CVE-2022-0801 Inappropriate implementation in HTML parser
CVE-2022-0801 No No - - -    
Chromium: CVE-2022-0802 Inappropriate implementation in Full screen mode
CVE-2022-0802 No No - - -    
Chromium: CVE-2022-0803 Inappropriate implementation in Permissions
CVE-2022-0803 No No - - -    
Chromium: CVE-2022-0804 Inappropriate implementation in Full screen mode
CVE-2022-0804 No No - - -    
Chromium: CVE-2022-0805 Use after free in Browser Switcher
CVE-2022-0805 No No - - -    
Chromium: CVE-2022-0806 Data leak in Canvas
CVE-2022-0806 No No - - -    
Chromium: CVE-2022-0807 Inappropriate implementation in Autofill
CVE-2022-0807 No No - - -    
Chromium: CVE-2022-0808 Use after free in Chrome OS Shell
CVE-2022-0808 No No - - -    
Chromium: CVE-2022-0809 Out of bounds memory access in WebXR
CVE-2022-0809 No No - - -    
HEIF Image Extensions Remote Code Execution Vulnerability
CVE-2022-24457 No No Less Likely Less Likely Important 7.8 6.8
HEVC Video Extensions Remote Code Execution Vulnerability
CVE-2022-23301 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-22006 No No Less Likely Less Likely Critical 7.8 6.8
CVE-2022-22007 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-24452 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-24453 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-24456 No No Less Likely Less Likely Important 7.8 6.8
Media Foundation Information Disclosure Vulnerability
CVE-2022-21977 No No Less Likely Less Likely Important 3.3 2.9
CVE-2022-22010 No No Less Likely Less Likely Important 4.4 3.9
Microsoft Defender for Endpoint Spoofing Vulnerability
CVE-2022-23278 No No Less Likely Less Likely Important 5.9 5.2
Microsoft Defender for IoT Elevation of Privilege Vulnerability
CVE-2022-23266 No No Less Likely Less Likely Important 7.8 6.8
Microsoft Defender for IoT Remote Code Execution Vulnerability
CVE-2022-23265 No No Less Likely Less Likely Important 7.2 6.7
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2022-23277 No No More Likely More Likely Critical 8.8 7.7
Microsoft Exchange Server Spoofing Vulnerability
CVE-2022-24463 No No Less Likely Less Likely Important 6.5 5.7
Microsoft Intune Portal for iOS Security Feature Bypass Vulnerability
CVE-2022-24465 No No Less Likely Less Likely Important 3.3 2.9
Microsoft Office Visio Remote Code Execution Vulnerability
CVE-2022-24509 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-24461 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-24510 No No Less Likely Less Likely Important 7.8 6.8
Microsoft Office Word Tampering Vulnerability
CVE-2022-24511 No No Less Likely Less Likely Important 5.5 4.8
Microsoft Word Security Feature Bypass Vulnerability
CVE-2022-24462 No No Less Likely Less Likely Important 5.5 4.8
Paint 3D Remote Code Execution Vulnerability
CVE-2022-23282 No No Less Likely Less Likely Important 7.8 6.8
Point-to-Point Tunneling Protocol Denial of Service Vulnerability
CVE-2022-23253 No No More Likely More Likely Important 6.5 5.7
Raw Image Extension Remote Code Execution Vulnerability
CVE-2022-23295 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-23300 No No Unlikely Unlikely Important 7.8 6.8
Remote Desktop Client Remote Code Execution Vulnerability
CVE-2022-21990 Yes No More Likely More Likely Important 8.8 7.9
CVE-2022-23285 No No More Likely More Likely Important 8.8 7.7
Remote Desktop Protocol Client Information Disclosure Vulnerability
CVE-2022-24503 No No Less Likely Less Likely Important 5.4 4.7
Skype Extension for Chrome Information Disclosure Vulnerability
CVE-2022-24522 No No Less Likely Less Likely Important 7.5 6.5
Tablet Windows User Interface Application Elevation of Privilege Vulnerability
CVE-2022-24460 No No Less Likely Less Likely Important 7.0 6.1
VP9 Video Extensions Remote Code Execution Vulnerability
CVE-2022-24451 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-24501 No No Less Likely Less Likely Critical 7.8 6.8
Visual Studio Code Spoofing Vulnerability
CVE-2022-24526 No No Less Likely Less Likely Important 6.1 5.3
Windows ALPC Elevation of Privilege Vulnerability
CVE-2022-23283 No No Less Likely Less Likely Important 7.0 6.1
CVE-2022-23287 No No Less Likely Less Likely Important 7.0 6.1
CVE-2022-24505 No No Less Likely Less Likely Important 7.0 6.1
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2022-24507 No No More Likely More Likely Important 7.8 6.8
Windows CD-ROM Driver Elevation of Privilege Vulnerability
CVE-2022-24455 No No Less Likely Less Likely Important 7.8 6.8
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2022-23286 No No More Likely More Likely Important 7.0 6.1
Windows Common Log File System Driver Information Disclosure Vulnerability
CVE-2022-23281 No No Less Likely Less Likely Important 5.5 4.8
Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2022-23291 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-23288 No No Less Likely Less Likely Important 7.0 6.1
Windows Event Tracing Remote Code Execution Vulnerability
CVE-2022-23294 No No More Likely More Likely Important 8.8 7.7
Windows Fast FAT File System Driver Elevation of Privilege Vulnerability
CVE-2022-23293 No No Less Likely Less Likely Important 7.8 6.8
Windows Fax and Scan Service Elevation of Privilege Vulnerability
CVE-2022-24459 Yes No Less Likely Less Likely Important 7.8 7.0
Windows HTML Platforms Security Feature Bypass Vulnerability
CVE-2022-24502 No No More Likely More Likely Important 4.3 3.9
Windows Hyper-V Denial of Service Vulnerability
CVE-2022-21975 No No Less Likely Less Likely Important 4.7 4.1
Windows Inking COM Elevation of Privilege Vulnerability
CVE-2022-23290 No No Less Likely Less Likely Important 7.8 6.8
Windows Installer Elevation of Privilege Vulnerability
CVE-2022-23296 No No Less Likely Less Likely Important 7.8 6.8
Windows Media Center Update Denial of Service Vulnerability
CVE-2022-21973 No No Less Likely Less Likely Important 5.5 4.8
Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability
CVE-2022-23297 No No Less Likely Less Likely Important 5.5 4.8
Windows NT OS Kernel Elevation of Privilege Vulnerability
CVE-2022-23298 No No Less Likely Less Likely Important 7.0 6.1
Windows PDEV Elevation of Privilege Vulnerability
CVE-2022-23299 No No More Likely More Likely Important 7.8 6.8
Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2022-23284 No No Less Likely Less Likely Important 7.2 6.5
Windows SMBv3 Client/Server Remote Code Execution Vulnerability
CVE-2022-24508 No No More Likely More Likely Important 8.8 7.7
Windows Security Support Provider Interface Elevation of Privilege Vulnerability
CVE-2022-24454 No No Less Likely Less Likely Important 7.8 6.8
Windows Update Stack Elevation of Privilege Vulnerability
CVE-2022-24525 No No Less Likely Less Likely Important 7.0 6.1
Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability
CVE-2022-21967 No No Less Likely Less Likely Important 7.0 6.1

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

Renato

82 Posts
ISC Handler
Mar 8th 2022
"one is already being exploited according to Microsoft." not according to your chart or the other one you linked to. Can you provide which one is actively being exploited or update the chart accordingly.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!