Microsoft Patch Tuesday Summary
Microsoft has fixed 55 vulnerabilities (aka flaws) in the June 2022 update, including three (3) vulnerabilities classified as Critical as they allow Remote Code Execution (RCE). This month’s Patch Tuesday cumulative Windows update includes the fix for one (1) zero-day vulnerability (CVE-2022-30190). Microsoft also released an advisory to address five (5) Intel vulnerabilities (Microsoft Advisory 220002, Intel-SA-00615).
Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege, Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing vulnerabilities.
The June 2022 Microsoft vulnerabilities are classified as follows:
Notable Microsoft Vulnerabilities Patched
This month’s advisory covers multiple Microsoft product families, including Azure, Developer Tools, Edge-Chromium Browser, Microsoft Office, SQL Server, System Center, and Windows.
A total of 25 unique Microsoft products/versions are affected.
Downloads include Azure Hotpatch, Cumulative Updates, Monthly Rollup, Security Only, and Security Updates.
CVE-2022-30136 | Windows Network File System Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 9.8/10.
This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).
Exploitability Assessment: Exploitation More Likely.
CVE-2022-30158 | Microsoft SharePoint Server Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 8.8/10.
An authenticated attacker with access to a server that has Sandboxed Code Service enabled could execute code in the context of the web service account.
The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability.
Exploitability Assessment: Exploitation Unlikely.
CVE-2022-30163 | Windows Hyper-V Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 8.5/10.
To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code.
Successful exploitation of this vulnerability requires an attacker to win a race condition.
In this case, a successful attack could be performed from a low privilege Hyper-V guest. The attacker could traverse the guest’s security boundary to execute code on the Hyper-V host execution environment.
Exploitability Assessment: Exploitation Less Likely.
CVE-2022-30139 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 7.5/10.
This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.
For more information, please see LDAP policies.
Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.
Exploitability Assessment: Exploitation Less Likely.
CVE-2022-30145 | Windows Encrypting File System (EFS) Remote Code Execution (RCE) Vulnerability
This vulnerability has a CVSSv3.1 score of 7.5/10.
Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.
Exploitability Assessment: Exploitation Less Likely.
About Qualys Patch Tuesday
Qualys Patch Tuesday QIDs are published as Security Alerts typically late in the evening on the day of Patch Tuesday, followed later by the publication of the monthly queries for the Unified Dashboard: 2022 Patch Tuesday (QID Based) Dashboard by Noon on Wednesday.