Microsoft March 2022 Patch Tuesday fixes 71 flaws, 3 zero-days

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,037
Today is Microsoft's March 2022 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities and a total of 71 flaws.

Microsoft has fixed 71 vulnerabilities (not including 21 Microsoft Edge vulnerabilities ) with today's update, with three classified as Critical as they allow remote code execution.

The number of bugs in each vulnerability category is listed below:
  • 25 Elevation of Privilege Vulnerabilities
  • 3 Security Feature Bypass Vulnerabilities
  • 29 Remote Code Execution Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 4 Denial of Service Vulnerabilities
  • 3 Spoofing Vulnerabilities
  • 21 Edge - Chromium Vulnerabilities

Three zero-days fixed, none actively exploited​

This month's Patch Tuesday includes fixes for three publicly disclosed zero-day vulnerabilities. The good news is that none of these vulnerabilities were actively exploited in attacks.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The publicly disclosed vulnerabilities fixed as part of the March 2022 Patch Tuesday are:
  • CVE-2022-21990 - Remote Desktop Client Remote Code Execution Vulnerability
  • CVE-2022-24459 - Windows Fax and Scan Service Elevation of Privilege Vulnerability
  • CVE-2022-24512 - .NET and Visual Studio Remote Code Execution Vulnerability
While none of these vulnerabilities have been used in attacks, Microsoft states that there are public proof-of-concept exploits for CVE-2022-21990 and CVE-2022-24459.

Other vulnerabilities of interest this month that Microsoft believes are more likely to be targeted by threat actors are:
  • CVE-2022-24508 - Windows SMBv3 Client/Server Remote Code Execution Vulnerability
  • CVE-2022-23277 - Microsoft Exchange Server Remote Code Execution Vulnerability
Now that Microsoft has issued patches for these vulnerabilities, it should be expected for threat actors to analyze the vulnerabilities to learn how to exploit them.

Recent updates from other companies​

Other vendors who released updates in March 2022 include:
 

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,037
ZDI: The March 2022 Security Update Review
It’s once again Patch Tuesday, which means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for March 2022

The Adobe release for March is quite small. This month, Adobe released only three patches addressing six CVEs in Adobe Photoshop, Illustrator, and After Effects. The patch for After Effects is the largest of the three. It fixes four Critical-rated, stacked-based buffer overflows that could result in arbitrary code execution. The fix for Illustrator is also rated Critical. It addresses a single buffer overflow that could lead to arbitrary code execution. Finally, the update for Photoshop fixes a single Important-rated memory leak.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for March 2022

For March, Microsoft released 71 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure Site Recovery, Microsoft Defender for Endpoint and IoT, Intune, Edge (Chromium-based), Windows HTML Platforms, Office and Office Components, Skype for Chrome, .NET and Visual Studio, Windows RDP, SMB Server, and Xbox. This is in addition to the 21 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the March total to 92 CVEs.

Of the 71 CVEs released today, three are rated Critical and 68 are rated Important in severity. A total of seven of these bugs came through the ZDI program. Historically speaking, this is volume is in line with previous March releases. However, the number of Critical-rated patches is again strangely low for this number of bugs. It’s unclear if this low percentage of bugs is just a coincidence or if Microsoft might be evaluating the severity using different calculus than in the past.

None of the bugs are listed as under active exploit this month, while three are listed as publicly known at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with one of the bugs listed as publicly known:

- CVE-2022-21990 – Remote Desktop Client Remote Code Execution Vulnerability
This client-side bug doesn’t have the same punch as server-side related RDP vulnerabilities, but since it’s listed as publicly known, it makes sense to go ahead and treat this as a Critical-rated bug. If an attacker can lure an affected RDP client to connect to their RDP server, the attacker could trigger code execution on the targeted client. Again, this isn’t as severe as BlueKeep or some of the other RDP server bugs, but it definitely shouldn’t be overlooked.

- CVE-2022-23277 – Microsoft Exchange Server Remote Code Execution Vulnerability
This Critical-rated bug in Exchange Server was reported by long-time ZDI contributor Markus Wulftange. The vulnerability would allow an authenticated attacker to execute their code with elevated privileges through a network call. This is also listed as low complexity with exploitation more likely, so it would not surprise me to see this bug exploited in the wild soon - despite the authentication requirement. Test and deploy this to your Exchange servers quickly.

- CVE-2022-24508 – Windows SMBv3 Client/Server Remote Code Execution Vulnerability
This bug could allow an attacker to execute code on Windows 10 version 2004 and newer systems. It’s also reminiscent of CVE-2020-0796 from a couple of years ago. Both also list disabling SMBv3 compression as a workaround for SMB servers, but this doesn’t help clients. In 2020, Microsoft noted SMBv3 compression “is not yet used by Windows or Windows Server and disabling SMB Compression has no negative performance impact.” That’s not in the current advisory, so it’s unclear what disabling this feature will have now. Authentication is required here, but since this affected both clients and servers, an attacker could use this for lateral movement within a network. This is another one I would treat as Critical and mitigate quickly.

- CVE-2022-21967 – Xbox Live Auth Manager for Windows Elevation of Privilege Vulnerability
This appears to be the first security patch impacting Xbox specifically. There was an advisory for an inadvertently disclosed Xbox Live certificate back in 2015, but this seems to be the first security-specific update for the device itself. Microsoft even notes other Windows OSes are not affected by this bug. It’s not clear how an attacker could escalate privileges using this vulnerability, but the Auth Manager component is listed as affected. This service handles interacting with the Xbox Live service. I doubt many enterprises are reliant on Xbox or Xbox Live, but if you are, make sure this patch doesn’t go unnoticed.
The next Patch Tuesday falls on April 12, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
 

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,037
Ghacks: Microsoft Windows Security Updates March 2022 overview
It is the second Tuesday of the month, and that means it is Microsoft Patch Day. Microsoft released security updates for its Windows operating system and other company products, including Microsoft Office, on March 8, 2022.

Our security updates reference for March 2022 provides you with information about the released updates. The overview includes links to support pages, informs you about known issues confirmed by Microsoft, lists the severity for every supported server and client product, and more.
The following Excel spreadsheet includes the released security updates for Windows and other company products. Just download it with a click on the following link: Security Updates 2022-03-08-065952pm
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,871
@Gandalf_The_Grey , have a very nice day/night, where ever you are located.