Address: Rue de la Loi 107, 1000 Brussels, BE Tel: +32 2 295 2100

Security Advisory 2022-060

Release Date:

Multiple Critical Vulnerabilities in Microsoft Products

Download

History:

  • 10/08/2022 --- v1.0 -- Initial publication

Summary

On August 9, Microsoft released its August 2022 Patch Tuesday advisory including fixes for 2 zero-day vulnerabilities identified CVE-2022-34713 and CVE-2022-30134, which affect respectively Microsoft Windows Support Diagnostic Tool (MSDT) and Microsoft Exchange Server [1].

The patch also contains fixes for 17 critical vulnerabilities affecting Active Directory Domain Services, Azure Batch Node Agent, Microsoft Exchange Server, Remote Access Service Point-to-Point Tunneling Protocol, Windows Hyper-V and Windows Kernel (SMB Client and Server), Windows Point-to-Point Tunneling Protocol and Windows Secure Socket Tunneling Protocol (SSTP) [2].

It is highly recommended patching affected devices.

Technical Details

CVE-2022-34713 - MSDT Remote Code Execution Vulnerability

This vulnerability, with a CVSS score of 7.8 out of 10, affects the Microsoft Windows Support Diagnostic Tool and could allow an attacker to execute some code on a device relying on the user to open a specially crafted file, such as an email attachment or a file downloaded from a website, to trigger the exploit.

CVE-2022-30134 - Microsoft Exchange Information Disclosure Vulnerability

This vulnerability, with a CVSS score of 7.6, affects Microsoft Exchange Server and could allow an attacker to read targeted email messages.

Other Critical Vulnerabilities

17 other critical vulnerabilities have also been patched. Even if they are not yet exploited, they are likely to be targeted soon based on reverse-engineering of the patches available.

Affected Products

Global list of affected products by all the vulnerabilities in the August advisory

  • .NET 6.0
  • .NET Core 3.1
  • Azure Batch
  • Azure Real Time Operating System GUIX Studio
  • Azure Site Recovery VMWare to Azure
  • Azure Sphere
  • Microsoft 365 Apps for Enterprise
  • Microsoft Excel
  • Microsoft Exchange Server
  • Microsoft Office
  • Microsoft Outlook
  • Microsoft Visual Studio
  • Open Management Infrastructure
  • System Center Operations Manager (SCOM)
  • Windows 10
  • Windows 11
  • Windows 7 SP1
  • Windows 8.1
  • Windows RT 8.1
  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
  • Windows Server, version 20H2 (Server Core Installation)

Recommendations

Microsoft and CERT-EU strongly recommend installing security updates as soon as possible.

References

[1] https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/August-2022.html

[2] https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2022-patch-tuesday-fixes-exploited-zero-day-121-flaws/

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.