Today is Microsoft’s July 2022 Patch Tuesday, and with it comes fixes for one actively exploited zero-day vulnerability and a total of 84 flaws.

Four of the 84 vulnerabilities fixed in today’s update are classified as ‘Critical’ as they allow remote code execution.

The number of bugs in each vulnerability category is listed below:

  • 52 Elevation of Privilege Vulnerabilities
  • 4 Security Feature Bypass Vulnerabilities
  • 12 Remote Code Execution Vulnerabilities
  • 11 Information Disclosure Vulnerabilities
  • 5 Denial of Service Vulnerabilities

The above counts do not include two vulnerabilities previously fixed in Microsoft Edge.

Executive Summary

  • All client and server versions of Windows are affected by at least one critical security issue.
  • Microsoft released security updates for other company as well, including Microsoft Office, Microsoft Defender for Endpoint, Microsoft Edge, Skype for Business and Microsoft Lync, and Xbox.
  • Windows 8.1 users will see a banner about the upcoming end of support of the operating system.
  • The following client versions of Windows have known issues: Windows 7, Windows 8.1, Windows 10 version 20H2, 21H1 and 21H2, Windows 11
  • The following server versions of Windows have known issues: Windows Server 2008, 2008 R2, 2012, 2012 R2, 2019, 2022 and Server 20H2.

Of the 84 new CVEs released today, four are rated Critical, and 80 are rated Important in severity. One of these bugs was submitted through the ZDI program. None of the new bugs patched this month are listed as publicly known, but one of the updates for CSRSS is listed as under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with the CSRSS bug under active attack:

– CVE-2022-22047 – Windows CSRSS Elevation of Privilege
This bug is listed as being under active attack, but there’s no information from Microsoft on where the vulnerability is being exploited or how widely it is being exploited. The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target. Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default.

– CVE-2022-30216 – Windows Server Service Tampering Vulnerability
This patch corrects a tampering vulnerability in the Windows Server Service that could allow an authenticated attacker to upload a malicious certificate to a target server. While this is listed as “Tampering”, an attacker who could install their own certificate on a target system could use this bug for various purposes, including code execution. While tampering bugs don’t often get much attention, Microsoft does give this its highest exploit index rating, meaning they expect active exploits within 30 days. Definitely test and deploy this patch quickly – especially to your critical servers.

– CVE-2022-22029 – Windows Network File System Remote Code Execution Vulnerability
This is the third month in a row with a Critical-rated NFS bug, and while this one has a lower CVSS than the previous ones, it could still allow a remote, unauthenticated attacker to execute their code on an affected system with no user interaction. Microsoft notes multiple exploit attempts may be required to do this, but unless you are specifically auditing for this, you may not notice. If you’re running NFS, make sure you don’t ignore this patch.

– CVE-2022-22038 – Remote Procedure Call Runtime Remote Code Execution Vulnerability
This bug could allow a remote, unauthenticated attacker to exploit code on an affected system. While not specified in the bulletin, the presumption is that the code execution would occur at elevated privileges. Combine these attributes and you end up with a potentially wormable bug. Microsoft states the attack complexity is high since an attacker would need to make “repeated exploitation attempts” to take advantage of this bug, but again, unless you are actively blocking RPC activity, you may not see these attempts. If the exploit complexity were low, which some would argue since the attempts could likely be scripted, the CVSS would be 9.8. Test and deploy this one quickly.

Operating System Distribution

Windows Client family.

  • Windows 7 (extended support only): 33 vulnerabilities: 1 critical and 32 important
    • Windows Graphics Component Remote Code Execution Vulnerability — CVE-2022-30221
  • Windows 8.1: 35 vulnerabilities: 2 critical and 33 important
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-22038
    • Windows Graphics Component Remote Code Execution Vulnerability– CVE-2022-30221
  • Windows 10 version 20H2, 21H1 and 21H2 : 43 vulnerabilities, 2 critical and 41 important
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-22038
    • Windows Graphics Component Remote Code Execution Vulnerability– CVE-2022-30221
  • Windows 11: 42 vulnerabilities, 2 critical and 40 important
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-22038
    • Windows Graphics Component Remote Code Execution Vulnerability– CVE-2022-30221

Windows Server family.

  • Windows Server 2008 R2 (extended support only): 36 vulnerabilities: 3 critical and 33 important
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-22039
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-22029
    • Windows Graphics Component Remote Code Execution Vulnerability — CVE-2022-30221
  • Windows Server 2012 R2: 38 vulnerabilities: 4 critical and 34 important
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-22039
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-22029
    • Windows Graphics Component Remote Code Execution Vulnerability — CVE-2022-30221
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-22038
  • Windows Server 2016: 44 vulnerabilities: 4 critical and 40 important
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-22039
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-22029
    • Windows Graphics Component Remote Code Execution Vulnerability — CVE-2022-30221
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-22038
  • Windows Server 2019: 46 vulnerabilities: 4 critical and 42 important
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-22039
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-22029
    • Windows Graphics Component Remote Code Execution Vulnerability — CVE-2022-30221
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-22038
  • Windows Server 2022: 47 vulnerabilities: 4 critical and 43 important
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-22039
    • Windows Network File System Remote Code Execution Vulnerability — CVE-2022-22029
    • Windows Graphics Component Remote Code Execution Vulnerability — CVE-2022-30221
    • Remote Procedure Call Runtime Remote Code Execution Vulnerability — CVE-2022-22038

Recent updates from other companies

Other vendors who released updates in July 2022 include:

CVE

Title

Severity

CVSS

Public

Exploited

Type

CVE-2022-22047

Windows CSRSS Elevation of Privilege Vulnerability

Important

7.8

No

Yes

EoP

CVE-2022-22038

Remote Procedure Call Runtime Remote Code Execution Vulnerability

Critical

8.1

No

No

RCE

CVE-2022-30221

Windows Graphics Component Remote Code Execution Vulnerability

Critical

8.8

No

No

RCE

CVE-2022-22029

Windows Network File System Remote Code Execution Vulnerability

Critical

8.1

No

No

RCE

CVE-2022-22039

Windows Network File System Remote Code Execution Vulnerability

Critical

7.5

No

No

RCE

CVE-2022-30215

Active Directory Federation Services Elevation of Privilege Vulnerability

Important

7.5

No

No

EoP

CVE-2022-23816 *

AMD: CVE-2022-23816 AMD CPU Branch Type Confusion

Important

N/A

No

No

Info

CVE-2022-23825 *

AMD: CVE-2022-23825 AMD CPU Branch Type Confusion

Important

N/A

No

No

Info

CVE-2022-30181

Azure Site Recovery Elevation of Privilege Vulnerability

Important

6.5

No

No

EoP

CVE-2022-33641

Azure Site Recovery Elevation of Privilege Vulnerability

Important

6.5

No

No

EoP

CVE-2022-33642

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.9

No

No

EoP

CVE-2022-33643

Azure Site Recovery Elevation of Privilege Vulnerability

Important

6.5

No

No

EoP

CVE-2022-33650

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.9

No

No

EoP

CVE-2022-33651

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.9

No

No

EoP

CVE-2022-33652

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.4

No

No

EoP

CVE-2022-33653

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.9

No

No

EoP

CVE-2022-33654

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.9

No

No

EoP

CVE-2022-33655

Azure Site Recovery Elevation of Privilege Vulnerability

Important

6.5

No

No

EoP

CVE-2022-33656

Azure Site Recovery Elevation of Privilege Vulnerability

Important

6.5

No

No

EoP

CVE-2022-33657

Azure Site Recovery Elevation of Privilege Vulnerability

Important

6.5

No

No

EoP

CVE-2022-33658

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.4

No

No

EoP

CVE-2022-33659

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.9

No

No

EoP

CVE-2022-33660

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.9

No

No

EoP

CVE-2022-33661

Azure Site Recovery Elevation of Privilege Vulnerability

Important

6.5

No

No

EoP

CVE-2022-33662

Azure Site Recovery Elevation of Privilege Vulnerability

Important

6.5

No

No

EoP

CVE-2022-33663

Azure Site Recovery Elevation of Privilege Vulnerability

Important

6.5

No

No

EoP

CVE-2022-33664

Azure Site Recovery Elevation of Privilege Vulnerability

Important

4.9

No

No

EoP

CVE-2022-33665

Azure Site Recovery Elevation of Privilege Vulnerability

Important

6.5

No

No

EoP

CVE-2022-33666

Azure Site Recovery Elevation of Privilege Vulnerability

WordPress Appliance - Powered by TurnKey Linux