Microsoft has addressed 55 vulnerabilities in its latest Patch Tuesday update cycle, June being the second consecutive month wherein the patch load was below the 100 mark. Redmond also cautioned users about the BlackCat ransomware gang targeting unpatched Exchange servers.
Microsoft’s June patch load also addresses the recently discovered Follina vulnerability (CVE-2022-30190) residing in the popular Windows troubleshooting tool Microsoft Support Diagnostic Tool (MSDT), apart from the 55 others. Follina is a severe vulnerability that can allow threat actors to remotely execute arbitrary code and take over systems using infected Word files.
Of all vulnerabilities fixed on June Patch Tuesday, Follina was the only one under active exploitation through a publicly available exploit. However, three of the remaining 55 flaws were rated critical in severity, so while the number of vulnerability patches has decreased compared to recent months, it is prudent to patch up as soon as possible.
â€œThis month’s Patch Tuesday offers some much-needed respite for IT teams. However, there are still a few critical vulnerabilities for administrators to focus on to reduce the risk of a breach at their organization â€“ including a particularly nasty remote code execution vulnerability in Windows Network File System (NFS),â€ opinedOpens a new window Automox.
Of the rest, 51 were rated important, while one was rated moderate in severity. â€œIt’s also interesting to note what is not included in today’s release. This is the first month in recent memory without an update for the Print Spooler,â€ noted Dustin Childs of Trend Micro’s Zero Day Initiative.
Print Spooler is a Windows OS service that lets users print documents over locally networked printers. It has previously been associated with PrintNightmare, Evil PrinterOpens a new window , PrintDemonOpens a new window , FaxHellOpens a new window , and other security issues. â€œWe’ll see if that trend continues or if this reprieve is only temporary,â€ Childs added.
Critical Vulnerability Fixes From June Patch Tuesday
All three critical vulnerabilities that featured in the June Patch Tuesday allow remote code execution. Of the three, CVE-2022-30136 has the highest CVSS score at 9.8. It exists in the Windows Network File System (NFS) file sharing protocol for Windows and Unix-based systems.
The May Patch Tuesday featured a similar vulnerability (CVE-2022-26937) in NFS. Last month, Redmond noted that NFSv2 or NFSv3 was exploitable through CVE-2022-26937 and that NFSv4.1 is not. This time, however, the patch for CVE-2022-30136 is for NFSv4.1.
CVE-2022-30163 (CVSS 8.5) and CVE-2022-30136 (CVSS 7.5), the remaining two critical vulnerabilities, reside in Windows Hyper-V and Windows Lightweight Directory Access Protocol (LDAP), respectively. The former is pretty complex to exploit, with an attacker needing to win an unidentified race condition. But once exploited, the threat actor could escape from a guest virtual machine to the host.
Meanwhile, CVE-2022-30147 (CVSS 7.8) isn’t as critical as the three described above, but Microsoft termed it as â€œexploitation more likely.â€
June Patch Tuesday Vulnerability Types and Products Affected
Types of Vulnerabilities Fixed on June Patch Tuesday | Source: TenableOpens a new window
Product-wise, Windows LDAP featured the highest number of vulnerability fixes.
Product-Wise Number of Vulnerabilities | Source: Rapid7Opens a new window
Considering the June Patch Tuesday has the lowest number of vulnerabilities since February, a pattern similar to 2021, Automox said administrators â€œshould be taking advantage of a relatively light month to prepare for what could be a heavy July.â€
What Wasn’t Included in June Patch Tuesday
A noteworthy omission from June Patch Tuesday are fixes for two RCE vulnerabilities in Microsoft’s Azure Synapse Analytics. Disclosed by Tenable in March 2022, Microsoft has already rolled out fixes starting in late April. No action is required from users of the platform, used for machine learning, big data analytics, data integration and warehousing.
Tenable wrote in a blog postOpens a new window , â€œThese flaws allow a user to escalate privileges to that of the root user within the underlying Apache Spark virtual machines, or to poison the hosts file of all nodes in an Apache Spark pool.â€ It could further allow lateral movement which could lead to the compromise of other Microsoft-owned infrastructure.
What’s disconcerting is that Microsoft initially refused to treat it as a security issue. â€œDuring the final days of the disclosure process, Microsoft Security Response Center (MSRC) began attempting to downplay the severity of the privilege escalation issue and classified it as a â€˜best practice recommendation,’ rather than a security issue,â€ Tenable addedOpens a new window .
â€œDespite clear evidence to the contrary, MSRC declined a bounty or acknowledgement for this finding. After being notified of our intent to publish information about the vulnerabilities, Microsoft representatives reversed the prior decision, classifying these issues as security-related, demonstrating a clear lack of communication among the teams involved within Microsoft.â€
The Windows-maker also waited until now to fix Follina, a critical security issue that was discovered late in May.
BlackCat is Targeting Vulnerable Exchange Servers
Microsoft June Patch Tuesday coincides with an advisory the tech giant released, warning organizations about the BlackCat ransomware gang attacking organizations through unpatched Exchange Servers.
Affiliates of the ransomware syndicate, particularly DEV-0237 (also known as FIN12) and DEV-0504 are actively trying to deploy the BlackCat ransomware through vulnerable instances of the mail and calendering server.
BlackCat, which operates a ransomware-as-a-service model, is the latest ransomware strain being used by DEV-0237 who previously targeted organizations using Conti, Hive, and Ryuk ransomware strains.
On the other hand, DEV-0504’s use of the BlackCat ransomware comes after black hat operations using REvil, LockBit 2.0, Conti, BlackMatter, and Ryuk.
Also known as ALPHV, BlackCat has caught the attention of the FBI, which in April released an advisoryOpens a new window stating the ransomware gang has targeted at least 60 organizations globally since March 2022.
Microsoft warned that attack vectors used by BlackCat may not necessarily be the same. â€œWhile their TTPs remain largely the same (for example, using tools like Mimikatz and PsExec to deploy the ransomware payload), BlackCat-related compromises have varying entry vectors, depending on the ransomware affiliate conducting the attack,â€ the company said.
â€œTherefore, the pre-ransom steps of these attacks can also be markedly different.â€ As such, te company didn’t spell out exactly which vulnerabilities were being exploited by BlackCat. In one attack instance, the affiliates used credential, while in other cases, the BlackCat affiliates used these four Exchange ServerOpens a new window vulnerabilities. Microsoft clarified that the most common entry vectors are remote desktop applications and compromised credentials.
BlackCat also featured at #2 in Cyber Security Works and Ivanti’s list of ransomware gangs which exploited the most vulnerabilities in Q1 2022. For technical details and mitigation, refer Microsoft’sOpens a new window or Cisco’s detailed postOpens a new window about the ransomware gang.
MORE ON SECURITY VULNERABILITIES
- Microsoft Issues Fixes for 74 Vulnerabilities Including an Actively Exploited One
- Microsoft’s April Patch Tuesday Is Here and It’s a Big One
- Critical RCE Vulnerability Threatens 20K Atlassian Confluence Instances
- Microsoft Discloses Four Vulnerabilities Affecting Millions of Pre-Installed Android Apps