Urgent Vulnerability Notice: Microsoft Zero Day Actively Exploited, Impacting Server and Client Windows Platforms
What You Need to Know:
A zero-day vulnerability was found in the latest Widows 11 and Windows Server 2022 releases. CVE-2022-22047 is a local privilege escalation vulnerability found in the Windows Client and Windows Server Runtime Subsystem. Although Microsoft has issued a patch, the vulnerability is actively being exploited by attackers and has a CVSS rating of 6.8.
Technical details are sparse, however Microsoft’s advisory stated that an attacker who successfully exploits the vulnerability could gain SYSTEM privileges and disable local services such as Endpoint Detection and Security tools. However, in order to gain those privileges, the attacker must first gain access to the system by exploiting a separate code execution flaw. According to CISA, agencies affected by the zero day have three weeks to (until August 2, 2022), to patch CVE-2022-22047.
Microsoft has yet to reveal if the vulnerability is being used in widespread or targeted attacks but it’s still important to patch regardless of the details. In the absence of information, it’s always best to choose the safest option and in this case, it’s following Microsoft’s instructions for patching.
CVE-2022-30216 is a tampering vulnerability in the Windows Server Service that could allow an attacker to upload a malicious file certificate and target a server. Microsoft gave the bug its highest exploit index rating which means an active exploit could happen within 30 days.
CVE-2022-22029 is a remote code execution vulnerability found in the Windows NFS service. This is not an easy vulnerability to exploit, as an attacker would need to make repeated exploitation attempts through sending constant or intermittent data. However, attempts to exploit could go unnoticed, making patching a priority.
CVE-2022-22026 is an elevation of privilege flaw with a CVSS score of 7.8. If an attacker is successful, they could send specially crafted data to the local CSRSS service and escalate privileges from AppContainer to SYSTEM. An AppContainer environment is a defensible security boundary, making processes bypassing the boundary a change in Scope.
Because CVE-2022-22047 is actively exploited in the wild, it’s pertinent that your organization makes patching the vulnerabilities a priority. Attackers could target your devices and gain access to your networks and systems, causing devastation that could have a long-lasting impact on your business operations.
- Towerwall recommends that you follow Microsoft’s advisory and patch CVE-2022-22047 as soon as possible, as there are no published mitigations yet.
- Towerwall also recommends that you patch the other vulnerabilities mentioned in the notice: CVE-2022-30216, CVE-2022-22029, and CVE-2022-22026.
Indicators of Compromise (IoCs):
- At this time, there are no known IoCs associated with CVE-2022-22047. Towerwall’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Towerwall will disclose them as soon as possible. For more information on how Towerwall can help protect your organization, reach out to your Towerwall Service Delivery Manager or Account Executive.
- CVE-2022-22047 – Security Update Guide – Microsoft – Windows CSRSS Elevation of Privilege Vulnerability
- CVE-2022-30216 – Security Update Guide – Microsoft – Windows Server Service Tampering Vulnerability
- CVE-2022-22029 – Security Update Guide – Microsoft – Windows Network File System Remote Code Execution Vulnerability
- Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout (thehackernews.com)
- CVE-2022-22026 – Security Update Guide – Microsoft – Windows CSRSS Elevation of Privilege Vulnerability
- July 12, 2022—KB5015877 (Security-only update) (microsoft.com)
- CISA orders agencies to patch new Windows zero-day used in attacks (bleepingcomputer.com)
- Microsoft fixes exploited zero-day in Windows CSRSS (CVE-2022-22047) – Help Net Security