icetray - Fotolia
Windows zero-day quashed for September Patch Tuesday
A relatively light patching workload awaits admins this month, but a "wormable" threat should increase the sense of urgency to rapidly deploy Microsoft's batch of fixes.
A Windows zero-day and a "wormable" vulnerability topped the list of concerns for administrators on September Patch Tuesday.
In total, Microsoft released corrections for 63 CVEs, with five rated critical. Admins should focus on patching systems vulnerable to a Windows zero-day (CVE-2022-37969) in the common log file system driver that affects most Windows desktop and server systems, including the Windows 7 and Windows 2008/2008R2 OSes that continue to get patches via the Extended Security Updates (ESU) program. This bug is rated important and had been publicly disclosed.
A threat actor needs both access to the network and privileges to execute code. After a successful exploit of the vulnerability, the attacker could gain system privileges. This bug could be the last piece in the puzzle of an advanced persistent threat scenario for an attacker overtaking a system. Microsoft's details on this CVE provide some context that should motivate administrators to push out the patches immediately.
"If you look at the acknowledgments for this vulnerability, there are four different groups that were cited. To me, that says this was not one targeted attack. This was multiple vendors who have possibly detected similar attacks by the same exploit," said Chris Goettl, vice president of product management for security products at Ivanti, an IT asset and endpoint management company.
Organizations that have systems on the ESU program should be aware of the approaching end date in January 2023 and put together a migration plan. Otherwise they will be exposed to threats after the support deadline. Customers who migrate Server 2008/2008 R2 workloads to Azure can stretch the support lifecycle to January 2024.
'Wormable' critical vulnerability targets Windows systems
A Windows TCP/IP remote code execution flaw (CVE-2022-34718) rated critical has one of the highest Common Vulnerability Scoring System (CVSS) ratings this month at 9.8. The bug affects all supported Windows desktop and server systems that use IPv6 on an IPSec node and requires no user interaction or privileges. The nature of the vulnerability means it could be engineered to hunt down and infect systems that listen for a type of TCP/IP traffic.
"Organizations that have turned on IPv6 should be taking this seriously because of the wormable nature, even if they're not utilizing IPv6 right now," Goettl said. "If they have enabled it, then it's listening. If this request is sent around, then there's a good chance somebody could exploit this."
Publicly disclosed vulnerability affects ARM devices
Microsoft fixed a cache speculation restriction vulnerability (CVE-2022-23960) rated important for Windows 11 on 64-bit ARM systems. The bug was publicly disclosed before September Patch Tuesday.
The vulnerability is known as Spectre-BHB and shares some of the hallmarks of the Spectre variant 2 vulnerabilities that "cause cache allocation, which can then be used to infer information that should not be accessible," according to the ARM developer site.
Other security updates of note for September Patch Tuesday
Administrators still smarting from the troubles that spawned from the PrintNightmare vulnerability should be on guard for CVE-2022-38005, a Windows print spooler elevation-of-privilege flaw that affects all Windows systems. The solitary nature of this specific vulnerability shouldn't lull IT pros into thinking they can delay patching. An attacker who pulls off a successful exploit can get system privileges.
Goettl said most organizations that have suffered through multiple print spooler problems should develop a battery of tests to ensure proper printing functionality after applying patches.
An Azure Guest Configuration and Azure Arc-enabled servers elevation-of-privilege vulnerability (CVE-2022-38007) focuses on Linux platforms and has a CVSS rating of 7.8. Attackers could use the flaw to swap out Microsoft's code with their own. Proof-of-concept exploit code exists, but Microsoft gives this CVE an exploitability assessment of "exploitation less likely."
As Linux gains prominence in Microsoft-based organizations and more configuration-level vulnerabilities in Azure arise, the need for a consistent way to support these products will also increase.
"There's going to have to be some tooling to help admins be able to tackle some of those challenges more effectively," Goettl said.