Microsoft has released patches for 84 security vulnerabilities in its IT products for its July Patch Tuesday release, including an actively exploited Windows Client Server Runtime Subsystem (CSRSS) bug that could allow an attacker to execute code as SYSTEM.
According to security researchers at Zero Day Initiative (ZDI), Microsoft’s July Patch Tuesday release fixes security problems in Windows, Windows Azure components; Microsoft Defender for Endpoint; Microsoft Edge (Chromium-based); Office and Office Components; Windows BitLocker; Windows Hyper-V; Skype for Business and Microsoft Lync; Open-Source Software; and Xbox.
ZDI notes that these patches are in addition to others patched in Microsoft Edge, bringing the total number of July Patch Tuesday CVEs to 87.
Here’s a look at the security vulnerabilities you should prioritize.
CVE-2022-22047 – Windows CSRSS Elevation of Privilege
The bug that needs immediate attention is of course the CSRSS elevation of privilege flaw, since Microsoft lists it as under active attack. If an attacker can execute other code on the target, they can execute code as SYSTEM.
“Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system,” ZDI researchers note in a blog. “These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default.”
Microsoft doesn’t reveal much more information than that, including where the vulnerability is being exploited or how widely it is being used.
CVE-2022-30216 – Windows Server Service Tampering Vulnerability
According to researchers, this vulnerability could allow an authenticated attacker to upload a malicious certificate to a target server. In addition, attackers that can install their own certificate on a target system could use leverage this flaw for code execution and other purposes.
Tampering bugs don’t typically get much attention, but Microsoft gives this vulnerability its highest exploit index rating, meaning active exploits are expected within 30 days. Admins should prioritize this patch, especially to critical servers, ZDI notes.
Azure Site Recovery vulnerabilities
Microsoft’s July security updates include 32 bugs in Azure Site Recovery, two of which are remote code execution while the remainder are elevation of privilege flaws. Organizations relying on Azure Site Recovery should prioritize these patches, but note that they will likely need to upgrade to version 9.49 to remediate the bugs, according to ZDI.
CVE-2022-22029 – Windows Network File System Remote Code Execution Vulnerability
According to ZDI, the July Patch Tuesday release is the third month in a row with a critical-rated NFS bug. Although it carries a lower CVSS than previous ones, unauthenticated attackers can still use it to execute code remotely without user interaction. Although exploitation may require multiple attempts, successful exploitation may be hard to catch.
CVE-2022-22038 – Remote Procedure Call Runtime Remote Code Execution Vulnerability
This is a potentially wormable bug that could allow a remote, unauthenticated attacker to exploit code on an affected system. Microsoft doesn’t note what privileges are required, but elevated privileges could lead to a wormable vulnerability, ZDI notes.
Attackers would need to make multiple repeated exploitation attempts, so complexity is high, but admins may not detect an attack unless RPC was actively being blocked, ZDI noes.
“If the exploit complexity were low, which some would argue since the attempts could likely be scripted, the CVSS would be 9.8. Test and deploy this one quickly.”
Two other critical-rated vulnerabilities
Rounding out the other critical-rated bugs are CVE-2022-22039, another NFS remote code execution flaw, and CVE-2022-30221, a Windows Graphics Component remote code execution flaw. The NFS vulnerability is similar to the other one mentioned above, albeit with a lower CVSS.
Meanwhile, the Windows Graphic Component bug has the highest CVSS this month. An attacker that is able to convince a targeted user to connect to a malicious RDP server could execute code on the victim’s system in the context of the targeted user.