Back in June I said next Patch Tuesday would be doom. I was correct—I just got the month wrong. August is absolutely awful. A total of 121 vulnerabilities were patched with 17 (!) of them as critical. We have two that are already disclosed and another that is actively being exploited. This might be the worst overall Patch Tuesday I have seen in my years of writing this series. It was clever of those bad faith actors to lull us into a false sense of security. Let’s go to the highlights!
Some highlights (or lowlights)
CVE-2022-34713: This exploit is publicly disclosed and already active in the wild. This Remote Code Execution (RCE) uses the Microsoft Windows Support Diagnostic Tool (MSDT). It requires a user to click on a bad email or link to work. The need for user interaction makes the CVSS lower than you might expect, coming in at 7.8.
CVE-2022-30134: This is the other known exploit. This exploit impacts Microsoft Exchange and is an Information Disclosure Vulnerability. Listed with low complexity and user interaction, it still only comes in at a 7.6. This impacts environments that are on premise or hybrid. Installing the patch is unfortunately not enough—you also need to enable Extended Protection. For more answers, head over to Microsoft’s updates on this exploit.
CVE-2022-35744: This exploit is by far the highest rated of them all at 9.8. It is a Remote Code Execution Vulnerability and impacts Windows Point-to-Point. It requires no permission or user interaction to execute. An attacker can send a connection request to a Remote Access Server over Port 1723 and run code without authenticating. It does require Port 1723, so disabling that will prevent the attack, but do be aware of how disabling that port will impact your environment before making that change.
Wrapping up
August has everything: Unauthenticated RCE with a network attack vector, known exploit where people can read your emails, and already exploited local attack vector bugs. After several light months, this did feel inevitable. I hope you folks set up some automation around patching while it was slow! If you did not, PDQ Deploy and PDQ Inventory can be stood up in minutes and help get your patching automated right away. Once your patching is automated, you can kick back and watch your machines protect themselves—no matter how bad the month gets.