The June 2022 Microsoft Patch Tuesday consists of 55 vulnerabilities with (3) classified as 'Critical' and the rest marked as 'Important'. Breakout of types are below:
- 27 Remote Code Execution (RCE) Vulnerabilities
- 12 Elevation of Privilege Vulnerabilities
- 1 Security Feature Bypass Vulnerability
- 11 Information Disclosure Vulnerabilities
- 3 Denial of Service Vulnerabilities
- 1 Spoofing Vulnerability
The 'Critical' rated vulnerabilities affect Windows Hyper-V (RCE), Windows Lightweight Directory Access Protocol (LDAP) (RCE), and the Windows Network File Systems (NFS) (RCE). Updates can be found here:
- Hyper-V (CVE-2022-30163)
- LDAP (CVE-2022-30139)
- Network File Systems (CVE-2022-30136)
The Microsoft Diagnostic Tool (MSDT) Attack Vector:
The "Follina" zero-day (CVE-2022-30190) is fixed in this month's security fixes from Microsoft. This was initially discovered two weeks before the monthly updates. The zero-day derived from attacks leveraging the Windows Microsoft Diagnostic Tool (MSDT) which bypasses security controls and executes PowerShell scripts by just opening a Word document (to include MS Office Protected View).
"DogWalk" is another zero-day security flaw leveraging the MSDT. DogWalk is a path traversal and allows a threat actor to copy an executable via Windows Startup Folder and bypasses the "Mark of the Web" (MOTW) security feature. The malicious file (.diagcab) would be executed automatically upon a restart on the device. Microsoft initially stated both Follina and DogWalk were not "security-related issues", however, security researchers provided proof of concepts exploiting the attack vector. Unofficial patches were released by third parties to cover the gap while Microsoft worked on a fix.
Cumulative updates for versions 21H2, version 21H1, and 1809 have KBs (KB5014699 and KB5014692) released to resolve security issues and bugs. This update is mandatory and will be installed by Windows Update during one's service window.
Be aware that the June Windows Server updates may cause backup issues using Volume Shadow Copy Service (VSS) due to Microsoft attempting to address an elevation of privilege vulnerability (CVE-2022-30154) which itself is currently rated as a ‘Medium’ severity. A suggested resolution is to install Windows updates released on June 14th and later for both the File Server and Application Server. Refer to Bleeping Computer's article for further information.
Other notable vulnerabilities and security issues discovered over the month include:
- Atlassian Confluence - Remote Code Execution (CVE-2022-26134)
- Added to Cybersecurity and Infrastructure Security Agency's (CISA) "Known Exploited Vulnerabilities Catalog"
- Mitigations and fixes can be found in Confluence Security Advisory 2022-06-02
- Zyxel - Remote Code Execution (CVE-2022-30525)
- Zyxel released security updates impacting affected models, however, admins must request a hotfix for the AP controllers as the fix is not publicly available
- VMware - VMware Workspace ONE, Identify Manager (vIDM), vRealize Automation (vRA), Cloud Foundation, and vRealize Suite Lifecycle Manager are affected products
- Workarounds and resolutions can be found in VMSA-2022-0011.1
- Cisco released a patch for the IOS XR zero-day vulnerability (CVE-2022-20821) which could be abused by unauthenticated remote threat actors
- Workarounds can be found on Cisco's Advisory
- Windows MSDT zero-day now exploited by Chinese APT hackers (bleepingcomputer.com)
- Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability (thehackernews.com)
- Zyxel fixes firewall flaws that could lead to hacked networks (bleepingcomputer.com)
- Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control | CISA