Patch Tuesday: 02.2022

Patch Tuesday – February 2022

LNDSR commentary on the security updates released on Patch Tuesday for February 2022:

• Microsoft

• • This month, Microsoft have addressed 51 vulnerabilities
  • Microsoft has not rated any of these patches as Critical.
  • One of the vulnerabilities addressed have been publicly disclosed
  • None of the vulnerabilities have been detected as actively attacked in the wild.

• Vulnerabilities of interest: 

• • CVE-2022-21984 – Windows DNS Server Remote Code Execution Vulnerability – RCE / (CVSS:8.8): This patch fixes a remote code execution bug in the Microsoft DNS server. The server is only affected if dynamic updates are enabled, however this is a relatively common configuration in most deployments. Exploitation of this will result in an attacker completely taking over your organisations DNS and executing code with elevated privileges. Microsoft have downgraded the severity of this issue because dynamic updates aren’t enabled by default, therefore rating this as Important and not Critical. If your DNS servers are set to dynamic updates, this should be a treated as a top priority fix.

• • CVE-2022-23280 – Microsoft Outlook for Mac Security Feature Bypass Vulnerability – INFO / (CVSS:7.9): This vulnerability allows images to automatically appear in the Preview Pane even if this setting is disabled. Exploitation of this issue will expose the victims’ IP information. Concern arises when this is chained with a separate exploit which could provide further levels of compromise.

• • CVE-2022-22005 – Microsoft SharePoint Server Remote Code Execution Vulnerability – RCE / (CVSS:8.8): This patch fixes a vulnerability in SharePoint Server that could allow an authenticated user to execute arbitrary .NET code on the server under the context and permissions of the service account of SharePoint Web Application. An attacker would need “Manage Lists” permissions to exploit this, by default, authenticated users are able to create their own sites and, in this case, the user will be the owner of this site and will have all necessary permissions. This case came through the ZDI, and we’ll have additional details out about it in the near future.

• Microsoft products patched this month:

• • • Microsoft Windows
    • Office 2013/2013 Click-to-Run (C2R)/2016/2019 Outlook 2016 for Mac
    • Excel 2013/2016
    • SharePoint Server 2019
    • SharePoint Enterprise Server 2013/2016 365 Apps Enterprise
    • Office 2019 for Mac
    • Office LTSC for Mac 2021
    • Office LTSC 2021
    • Office Online Server
    • Office Web Apps Server 2013 OneDrive Android
    • SharePoint Foundation 2013 SharePoint Server Subscription Edition Teams Android
    • Teams iOS
    • Teams Admin Center

Other notable vendor releases:

• WordPress issued a product point release update from 5.8.3 to 5.9
• Adobe released 5 security updates covering 17 vulnerabilities.
• Android released security updates for 21 vulnerabilities during February 2022.
• Apple released 9 product security updates for iOS, tvOS, watchOS, iPadOS, Safari and macOS over the last 4 weeks.
• Cisco released 22 security updates addressing multiple vulnerabilities including Log4j issues.
• SAP released security updates for 13 vulnerabilities including Log4j 2.x
• VMWare released 3 security advisories for VMWare Workstation, Fusion, ESXi, Cloud Foundation & Horizon Client.
• Intel issued 22 security updates for its product ranges.
• Citrix released 11 patches through the last 4 weeks.
• Mozilla has updated Firefox and Firefox ESR.
• Samba has announced a security update fixing a single vulnerability.
• Schneider Electric have again addressed multiple vulnerabilities with 11 security updates.
• Siemens have released 35 product security updates.
• Linux distributions Oracle Linux, Red Hat, and SUSE have released updates.