Patch Tuesday: Exploited Windows 0day, zero-click pre-auth RCE vuln in RPC
Those 700,000 folks with RPC exposed to the internet should probably...
Microsoft has pushed 84 patches under its monthly Patch Tuesday. They include fixes for four critical vulnerabilities as well as a Windows 0day listed as being under attack: CVE-2022-22047 -- exploitation was detected and reported by Microsoft's own Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) -- as well as a pre-authentication remote code execution (RCE) bug reported by China's Cyber Kunlun.
The Windows 0day is an Elevation of Privilege (EOP) one that gives SYSTEM, but requires local access. It has a CVSS score of 6.8. Few details are currently available about the vulnerability, which is in the core Windows component Client Service Runtime Process (CSRSS.exe) but expect security researchers and bad actors alike to reverse engineer the patch and work out how to exploit the bug in the not-too-distant future. Patch promptly.
Another one to look out for is CVE-2022-22038 which is a pre-auth RCE vulnerability with a CVSS score of 8.1 in the Windows Remote Procedure Call (RPC). Microsoft played down the likelihood of exploitation in its own advisory, saying "successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data" but as the Zero Day Initiative notes "unless you are actively blocking RPC activity, you may not see these attempts. If the exploit complexity were low, which some would argue [should be the case] since the attempts could likely be scripted, the CVSS would be 9.8."
For what it is worth, Automox sees over 700,000 devices with RPC open to the public.
Supplier hack had “scope to impact entire telco industry”: Vodafone
The CVE-2022-22038 was reported by Yuki Chen with Cyber KunLun. Again, a proof-of-concept that might trigger wider exploitation has yet to land, but no doubt will shortly. Security researcher Kevin Beaumont noted that it "sounds similar to the NotSMB one from a few months ago that everybody freaked out about (which turned out to not be exploitable with default endpoints). More info needed but I wouldn't panic" -- patch regardless.
Adobe meanwhile pushed out fixes for 27 CVEs across Acrobat and Reader, Photoshop, RoboHelp, and Adobe Character Animator. The update for Acrobat and Reader addresses 22 different Critical- and Important-rated bugs, notes the ZDI which handled the vast majority of vulnerability reports for Adobe. The most severe of these could allow code execution if an attacker convinces a target to open a specially crafted PDF document.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack.
The year 2022 looks set to be another record-breaker for reported vulnerabilities. The Stack counts 12,715 CVEs reported in the calendar first half alone; with over 2,000 reported each month for the first time.