Microsoft’s July 2022 Patch Tuesday Addresses 84 CVEs (CVE-2022-22047)

CVE-2022-33675 | Azure Site Recovery Elevation of Privilege Vulnerability

CVE-2022-33675 is a EoP vulnerability in Azure Site Recovery, a suite of tools aimed at providing disaster recovery services. The vulnerability was discovered and reported to Microsoft by Tenable researcher Jimi Sebree. It exists due to a directory permission error which can allow an attacker to use DLL hijacking to elevate their privileges to SYSTEM. You can read more about the discovery of the vulnerability on the Tenable Techblog and view our public advisory here.

Microsoft also patched several other vulnerabilities affecting Azure Site Recovery:

CVE-2022-22047 | Windows CSRSS Elevation of Privilege

CVE-2022-22047 is an EoP vulnerability in the Windows Client Server Run-Time Subsystem. It received a CVSSv3 score of 7.8 and is rated as Important. Microsoft says this vulnerability has been exploited in the wild, though no further details have been shared at the time of publication. However, this type of vulnerability is likely to have been used as part of post-compromise activity, once an attacker has gained access to their targeted system and run a specially crafted application.

This vulnerability is credited to the Microsoft Threat Intelligence Center and Microsoft Security Response Center.

CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, CVE-2022-30226 | Windows Print Spooler Elevation of Privilege Vulnerabilities

CVE-2022-22022, CVE-2022-22041, CVE-2022-30206 and CVE-2022-30226 are all EoP vulnerabilities in Windows Print Spooler components. After the deluge of vulnerability disclosures kicked off by PrintNightmare in August 2021, June 2022 was the first month in which Microsoft did not release any patches for Print Spooler. On balance, Microsoft has patched four high severity vulnerabilities in the service, all of which were rated “Exploitation Less Likely” based on Microsoft’s Exploitability Index. Three of the vulnerabilities were credited to researchers who disclosed Print Spooler flaws during the PrintNightmare saga last year. Xuefeng Li and Zhiniang Peng with Sangfor were the ones to kick it all off in late June 2021.

While the four vulnerabilities received somewhat similar CVSSv3 scores (listed in the table below), they grant attackers different levels of privilege escalation if exploited. CVE-2022-22022 and CVE-2022-30226 only allow an attacker to delete targeted files on a system while CVE-2022-22041 and CVE2022-30206 could grant an attacker SYSTEM privileges.

If patching is not feasible at this time, all four vulnerabilities can be mitigated by disabling the Print Spooler service. Microsoft’s advisories include PowerShell commands to do so.

CVE-2022-22038 | Remote Procedure Call Runtime Remote Code Execution Vulnerability

CVE-2022-22038 is a RCE vulnerability in the Remote Procedure Call Runtime impacting all supported versions of Windows. The vulnerability received a CVSSv3 score of 8.1 and, while no privileges are required, the CVSS score indicates the attack complexity is high. Microsoft further supports this with a note in the advisory stating that additional actions by an attacker are required in order to prepare a target for successful exploitation. This is one of four vulnerabilities credited to Yuki Chen of Cyber KunLun in this month’s release.

CVE-2022-22028, CVE-2022-20229, CVE-2022-22039 | Windows Network File System Vulnerabilities

CVE-2022-22028 is an information disclosure vulnerability, whileCVE-2022-22029 and CVE-2022-22039are RCE vulnerabilities in the Windows Network File System (NFS). All three flaws were assigned an “Exploitation Less Likely” because these flaws have high attack complexity. In the case of CVE-2022-22029, an attacker would need to “invest time in repeated exploitation attempts” by “sending constant or intermittent data.” Both CVE-2022-22028 and CVE-2022-22039 require an attacker to “win a race condition” in order to exploit these vulnerabilities.

Microsoft attributed these vulnerabilities to security researcher Yuki Chen of Cyber KunLun. This is the third month in a row that Chen has reported vulnerabilities in Windows NFS, though the previously patched flaws carried a higher criticality rating.