June 2022 and Microsoft has released fixes for 55 vulnerabilities, including fixes for the Windows MSDT ‘Follina’ zero-day vulnerability and new Intel MMIO flaws.

Of the 55 vulnerabilities fixed in today’s update, three are classified as ‘Critical’ as they allow remote code execution, with the rest classified as Important. This does not include 5 Microsoft Edge Chromium updates that were released earlier this week.

The number of bugs in each vulnerability category is listed below:

  • 12 Elevation of Privilege Vulnerabilities
  • 1 Security Feature Bypass Vulnerabilities
  • 27 Remote Code Execution Vulnerabilities
  • 11 Information Disclosure Vulnerabilities
  • 3 Denial of Service Vulnerabilities
  • 1 Spoofing Vulnerability

Executive Summary

  • All client and server versions of Windows are affected by at least one critical security issue.
  • One new issue on Windows 11 when installing the updates.
  • Microsoft released security updates for other products, including Microsoft Edge, Microsoft Office, and Visual Studio.
  • Internet Explorer retires tomorrow for most Windows systems.

Taking a closer look at some of the more interesting CVE fixes;

CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
Although it’s difficult to see from the Security Update Guide, Microsoft did release an update to address the much discuss “Follina” vulnerability in MSDT. This bug has been reported to be under active attack, so priority should be given to the testing and deployment of this update.

CVE-2022-30136 – Windows Network File System Remote Code Execution Vulnerability
This CVSS 9.8 bug looks eerily similar to CVE-2022-26937 – an NFS bug patched last month and one we blogged about last week. This vulnerability could allow a remote attacker to execute privileged code on affected systems running NFS. On the surface, the only difference between the patches is that this month’s update fixes a bug in NFSV4.1, whereas last month’s bug only affected versions NSFV2.0 and NSFV3.0. It’s not clear if this is a variant or a failed patch or a completely new issue. Regardless, enterprises running NFS should prioritize testing and deploying this fix.

 CVE-2022-30163 – Windows Hyper-V Remote Code Execution Vulnerability
This bug could allow a user on a Hyper-V guest to run their code on the underlying Hyper-V host OS. The update doesn’t list the privileges the attacker’s code would run at, but any guest-to-host escape should be taken seriously. Microsoft notes that attack complexity is high since an attacker would need to win a race condition. However, we have seen many reliable exploits demonstrated that involve race conditions, so take the appropriate step to test and deploy this update.

CVE-2022-30148 – Windows Desired State Configuration (DSC) Information Disclosure Vulnerability
Most info disclosure bugs simply leak unspecified memory contents, but this bug is different. An attacker could use this to recover plaintext passwords and usernames from log files. Since DSC is often used by Sys Admins to maintain machine configurations in an enterprise, there are likely some sought-after username/password combos that could be recovered. This would also be a great bug for an attacker to move laterally within a network. If you’re using DSC, make sure you don’t miss this update.

Operating System Distribution

Windows Client family.

  • Windows 7 (extended support only): 21 vulnerabilities: 1 critical and 20 important
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-30163
  • Windows 8.1: 22 vulnerabilities: 1 critical and 21 important
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-30163
  • Windows 10 version 20H2, 21H1 and 21H2 : 29 vulnerabilities, 2 critical and 27 important
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-30163
    • Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability — CVE-2022-30139
  • Windows 11:  28 vulnerabilities, 2 critical and 26 important
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-30163
    • Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability — CVE-2022-30139

Windows Server family.

  • Windows Server 2008 R2 (extended support only): 20 vulnerabilities: 1 critical and 19 important
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-30163
  • Windows Server 2012 R2: 24 vulnerabilities: 2 critical and 22 important
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-30163
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-30136
  • Windows Server 2016: 29 vulnerabilities: 3 critical and 26 important
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-30163
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-30136
    • Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability — CVE-2022-30139
  • Windows Server 2019: 31 vulnerabilities: 3 critical and 28 important
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-30163
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-30136
    • Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability — CVE-2022-30139
  • Windows Server 2022: 29 vulnerabilities: 2 critical and 27 important
    • Windows Hyper-V Remote Code Execution Vulnerability — CVE-2022-30163
    • Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability — CVE-2022-30139

CVE

Title

Severity

CVSS

Public

Exploited

Type

CVE-2022-30163

Windows Hyper-V Remote Code Execution Vulnerability

Critical

8.5

No

No

RCE

CVE-2022-30139

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Critical

7.5

No

No

RCE

CVE-2022-30136

Windows Network File System Remote Code Execution Vulnerability

Critical

9.8

No

No

RCE

CVE-2022-30184

.NET and Visual Studio Information Disclosure Vulnerability

Important

5.5

No

No

Info

CVE-2022-30167

AV1 Video Extension Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-30193

AV1 Video Extension Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-29149

Azure Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2022-30180

Azure RTOS GUIX Studio Information Disclosure Vulnerability

Important

7.8

No

No

Info

CVE-2022-30177

Azure RTOS GUIX Studio Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-30178

Azure RTOS GUIX Studio Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-30179

Azure RTOS GUIX Studio Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-30137

Azure Service Fabric Container Elevation of Privilege Vulnerability

Important

6.7

No

No

EoP

CVE-2022-22018

HEVC Video Extensions Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-29111

HEVC Video Extensions Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-29119

HEVC Video Extensions Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-30188

HEVC Video Extensions Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2022-21123 *

Intel: CVE-2022-21123 Shared Buffer Data Read (SBDR)

Important

N/A

No

No

Info

CVE-2022-21125 *