Microsoft has fixed an important-severity flaw that could give an attacker that is authenticated the ability to execute code with elevated privileges, as part of its regularly scheduled security updates released on Tuesday.
The elevation-of-privilege flaw (CVE-2022-37969) exists in the Windows Common Log File system driver, which is a logging service that can be used by software clients in user mode or kernel mode. Microsoft said that an attacker that exploited the flaw could gain SYSTEM privileges, but it’s important to note that the attacker would already need to have access to a system, and the ability to run code. The flaw has been publicly disclosed and exploitation has been detected, according to Microsoft. Researchers with DBAPP Security, Mandiant, Crowdstrike and Zscaler were credited with discovering the flaw.
“We found this zero-day bug during a proactive Offensive Task Force exploit hunting mission," said Dhanesh Kizhakkinan, senior principal vulnerability engineer with Mandiant, one of the companies that discovered the issue. "An escalation of privilege (EOP) exploit was found in the wild, exploiting this Common Log File System (CLFS) vulnerability. The exploit seems to stand-alone and is not part of a chain (like browser + EOP).”
Microsoft listed the attack vector as “local,” which the company said means the vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. However, the attack complexity and privileges required are listed as “low,” and Microsoft said that no user interaction is required for the flaw.
Genwei Jiang, senior vulnerability engineer with Mandiant and one of the researchers who was credited with discovering the bug, said after the flaw was found it was immediately submitted to Microsoft, and the company "quickly developed and issued an initial patch." The issue was first discovered on Aug. 30 and reported to Microsoft Sept. 1. As the exploit is public available, it’s very easy to develop and exploit, said Jiang.
Overall, Microsoft’s security advisory addressed 79 CVEs, including five critical-severity flaws and 57 important-severity flaws. One of those critical vulnerabilities (CVE-2022-34718) exists in Windows TCP/IP and could enable a remote, unauthenticated attacker to execute code with elevated privileges on impacted systems, sans user interaction. Microsoft said exploitation is “more likely” for this flaw, the vulnerability only impacts systems that have IPv6 enabled and IPSec configured.
“An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine,” according to Microsoft’s advisory.
Other noteworthy vulnerabilities include an important-severity denial-of-service bug in Windows DNS server, which can be exploited by a remote, unauthenticated actor, and two remote code execution flaws in the Windows Internet Key Exchange protocol (CVE-2022-34721 and CVE-2022-34722) that can be exploited by an attacker that sends a specially crafted IP packet. Microsoft has in the last few months fixed a number of zero-day flaws. The company in August said it fixed a variant of a publicly known, important-severity remote code execution flaw (CVE-2022-34713) in the Microsoft Windows Support Diagnostic tool, which had been exploited by attackers.