Microsoft issued a patch for a zero-day flaw actively exploited in the wild in its latest Patch Tuesday dump of security fixes.
The update to the world’s most ubiquitous operating system includes 63 other patches, including another zero-day.
The actively exploited zero-day, tracked as CVE-2022-37969, allows attackers to execute code with elevated privileges and gain access to affected systems. Hackers typically look for ways to gain elevated access to computing resources, making the bug potentially a serious one despite its CVSS score of 7.8.
Exploitation of the vulnerability requires an attacker to already have gained access to the system. “Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link,” says Dustin Childs, a security analyst at Zero Day Initiative, a software vulnerability initiative run by cybersecurity firm Trend Micro.
Four organizations – DBAPPSecurity, Mandiant, CrowdStrike and Zscaler – reported this bug, Microsoft says.
The zero-day is among 18 elevation of privilege vulnerabilities the technology giant fixed this month. The notification also shares fixes for 30 remote code execution flaws, 16 Edge-Chromium flaws, seven information disclosure flaws, seven denial-of-service flaws and one security feature bypass flaw.
CVE-2022-34724 can allow hackers to launch denial-of-service attacks on Windows DNS servers. While there is little chance of code execution, the bug is “critical due to its potential impact,” says Childs.
“It’s not clear if the DoS just kills the DNS service or the whole system. Shutting down DNS is always bad, but with so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises,” he says.
Two critical vulnerabilities – CVE-2022-34722 and CVE-2022-34721 – are Windows Internet Key Exchange protocol extension remote code execution vulnerabilities, with a CVSS score of 9.8. IKE is used to generate a security association within the internet protocol security suite.
Exploits of both vulnerabilities are simple to execute, requiring no interaction with users, says Mike Walters, cybersecurity executive, president and co-founder of Action1. “An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has enabled IPsec to enable remote code execution,” he says.
Walters tells Information Security Media Group that the vulnerability affects IKEv1 and IKEv2. All Windows servers are affected, because they accept packets from both versions. “There is no exploit or POC detected in the wild yet. However, installing the fix is highly advisable,” Walters says.
Critically rated vulnerabilities CVE-2022-34700 and CVE-2022-35805 affect Microsoft Dynamics 365. The 8.8-scoring remote code execution vulnerabilities allow an authenticated user to perform SQL injection attacks and execute commands as the owner within the Dynamics 356 database, Childs says.
The final critical vulnerability, tracked as CVE-2022-34718, affects Windows TCP/IP. The remote code execution vulnerability has a CVSS score of 9.8 and allows unauthenticated attackers to execute code with elevated privileges on affected systems without user interaction.
An adversary can send a specially crafted IPv6 packet to a Windows node with IPsec enabled to perform remote code execution, Walters says. Supply chains are at particular risk from this vulnerability in instances where contractors and customer networks are connected by an IPsec tunnel, he says. “If you have IPsec tunnels in your Windows infrastructure, this update is a must-have.”