It was a dark and stormy DEFCON. Water leaked from the ceilings onto the casino floors and lightning flashed across the sky. With over 25k attendees, Las Vegas was raining hackers. If you were not swept away in the storm in Las Vegas, you surely felt the flood of new vulnerability fixes on August’s Patch Tuesday update. Rain was in the forecast, but a heavy downpour of zero days was unexpected.

Zero day vulnerabilities get a lot of media attention, so it does not take long for opportunistic threat actors to spring into action. Digital Shadows (now ReliaQuest)’ Vulnerability Intelligence capability can help provide timely context to CVEs in one, centralized location; the SearchLight portal. If you haven’t already, check out our Q2 2022 Vulnerability Roundup blog which provides a detailed overview of CVE trends from the second quarter of 2022. 

For this month’s vulnerability intelligence blog, I am going to dive into the need-to-know vulnerabilities from this month’s Patch Tuesday, along with several zero day vulnerabilities. 

Flood of vulnerabilities

Out of the 121 vulnerabilities addressed by Microsoft on Patch Tuesday, 17 were considered critical, not including the two zero day vulnerabilities discussed in the next section. The remaining vulnerabilities are classified as important including:

Table 1: The critical vulnerabilities addressed on Patch Tuesday

A majority of the flaws were privilege escalation vulnerabilities followed by remote code execution (RCE). (See Figure 1) Privilege escalation vulnerabilities were also the most commonly observed exploited vulnerability in Q2 2022, representing 48 percent of incidents reported by Digital Shadows (now ReliaQuest) in this period. However, RCE vulnerabilities took the top spot in Q1 2022, accounting for 37 percent of incidents during that period.

Figure 1: An overview of vulnerabilities fixed within the August Patch Tuesday

Privilege escalation is an integral part of most cyber attacks, regardless of motivation. Elevated privileges enable attackers to gain persistent access to a system, and deepen the access by opening doors into other parts of the network. There are two main types of privilege escalation, including horizontal and vertical. When threat actors move laterally during an attack and take over a second account or system, they then gain access to the privileges of the second account. This is known as horizontal privilege escalation. 

If an attacker tries to increase the privileges of a regular user account, such as giving an intern’s account administrative privileges, this is known as vertical privilege escalation. Vulnerabilities that allow attackers to change their privileges can mean the difference between a single device compromise and the potential for a system-wide ransomware attack. When prioritizing patches, don’t let the RCE vulnerabilities overshadow the privilege escalation ones. To learn more about patch prioritization, check out our last vulnerability roundup blog, Leveraging the OODA Loop for Vulnerability Management.

Raining Zero Days

Microsoft released patches for two zero days on Patch Tuesday including an RCE vulnerability, tracked as CVE-2022-34713, impacting the Microsoft Windows Support Diagnostic Tool (MSDT). Dubbed DogWalk, the vulnerability was discovered in January 2020, but was not initially classified as a vulnerability by Microsoft as exploitation of the issue requires user interaction. An attacker would first need to use social engineering to convince a user to either navigate to a malicious website hosting an exploit, or open a malicious file containing the exploit. 

The bug, which could allow an attacker to copy an executable to the Windows Startup folder, was recently brought to light again by a security researcher on Twitter, which caught the attention of Microsoft. After taking another look, the vulnerability was given a CVE identification number and an official patch. The Cybersecurity & Infrastructure Security Agency (CISA) added the DogWalk vulnerability to the Known Exploitable Vulnerabilities Catalog on 09 Aug 2022. Organizations should apply the appropriate patches as soon as possible.

Figure 2 Vulnerability timeline  for CVE-2022-34713 available on Digital Shadows (now ReliaQuest)’ Vulnerability Intelligence portal.

The other zero day included in the August Patch Tuesday is another elevation of privileges vulnerability in Microsoft Exchange Server, tracked as CVE-2022-30134. This remotely exploitable flaw has the potential to expose sensitive information. There is no evidence the vulnerability is being actively exploited in the wild.

Figure 3: Additional context for CVE-2022-30134 as detailed in our SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) portal.

On 16 Aug 2022, a security update for the Chrome browser was released by Google to fix several vulnerabilities including an actively exploited zero day tracked as CVE-2022-2856. According to the Chrome release notes from Google, there was insufficient validation of untrusted Intents causing CVE-2022-2856. Web Intents is a feature in Chrome that allows applications and web services to be launched from a web page. This vulnerability was also added to CISA’s Known Exploitable Vulnerabilities Catalog on 18 Aug 2022. 

Figure 4: Risk factors of CVE-2022-2856 available in our Vulnerability Intelligence portal.

On 18 Aug 2022, Apple released security updates addressing two zero day vulnerabilities impacting macOS, iOS, and iPadOS devices, as well as the Safari browser. The first is an out-of-bounds write vulnerability in the operating system’s Kernel, tracked as CVE-2022-32894, that could allow an application to execute code with Kernel privileges. The kernel is a program that operates as the core component of an operating system and has the highest privileges in macOS, iPadOS, and iOS. An out-of-bounds write vulnerability involves a piece of software that writes data past the end, or before the beginning, of an intended buffer which can cause a corruption in data, a crash, or code execution. 

The second zero day, tracked as CVE-2022-32893, is an out-of-bounds write vulnerability in the WebKit, the engine used by Safari and other applications that can access the web on these devices. If exploited, an attacker could perform arbitrary code execution remotely.

These security updates highlight the importance of automatically applying security updates. Personal devices employees use could remain vulnerable and pose a risk to enterprises. A compromised personal device could result in initial access to the corporate environment. Defenders should push patches out immediately and send notifications that employees should be patching any personal iPhones, iPads, or Macs.

Figure 5: The CVSS score of CVE-2022-32893 as seen in the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) portal.

These security updates highlight the importance of automatically applying security updates. Personal devices employees use could remain vulnerable and pose a risk to enterprises. A compromised personal device could result in initial access to the corporate environment. Defenders should push patches out immediately and send notifications that employees should be patching any personal iPhones, iPads, or Macs.

Save time with Vulnerability Intelligence

As a security practitioner, I wish I had more time in the day to get everything done, more time to research complex threats, and more time to analyze the risk associated with vulnerabilities. Save time with SearchLight. Schedule a demo to see our Vulnerability Intelligence in action! Digital Shadows (now ReliaQuest) has a dedicated team of vulnerability intelligence analysts that combine automated collection with their continuous monitoring and analysis.

Not ready to talk? Check out our Vulnerability Intelligence Best Practices Guide instead.