September Patch Tuesday: Microsoft Fixes 64 Vulnerabilities, Including Two Zero Day Flaws


Yesterday, Microsoft released a much smaller patchload, almost half of August’s total, as part of its September Patch Tuesday. With fixes for 64 vulnerabilities, September’s patchload is in line with last year and is the lowest of any month in 2022.

“In terms of published CVEs, this Patch Tuesday may appear lighter compared to other months. However, this month marked a calendar year milestone, with MSFT patching the 1,000th CVE of 2022 – likely on track to surpass 2021, which patched 1,200 CVEs in total,” noted Bharat Jogi, Director of vulnerability and threat research at Qualys. .

Of the 64 fixes released on September Patch Tuesday, five are for critical vulnerabilities, 57 for vulnerabilities rated important, and one each for moderate and low severity bugs. Microsoft also patched two zero-day vulnerabilities, i.e. those actively targeted by a publicly available exploit.

Jordan Schroeder, head of CISO at Barrier Networks, told Spiceworks: “This is a relatively small update compared to last month’s 141 patches, but it addresses two zero days, one of which is exploited in the wild, so organizations should prioritize applying these fixes.

Fixes for zero-day vulnerabilities in September Patch Tuesday

The first is CVE-2022-37969, a privilege elevation flaw in the Common Log File System (CLFS). “The CLFS driver is a general-purpose logging subsystem first introduced in the Windows 2003 R2 operating system that became very prominent and shipped with all subsequent releases,” Jogi told Spiceworks.

Microsoft has credited four different companies for discovering CVE-2022-36969. “Since this vulnerability has been reported to MSFT by four different cybersecurity companies, it is highly likely to be widely exploited in the wild – particularly by APT groups and malware authors – to gain elevated privileges “, continued Jogi.

It has a CVSS score of 7.8 (important) and requires user action as part of the attack chain. Mike Walters, chief cybersecurity officer and co-founder of Action1, told Spiceworks: “This [7.8] is not the highest possible score because the vulnerability can only be exploited locally; an attacker must already have access to a system and the ability to execute code on it.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. No further technical details are available, but since the vulnerability has low complexity and requires no user interaction, an exploit will likely soon be in the arsenal of white hats and black hats,” Walters said and recommended that organizations deploy the patch as soon as possible. in the same way CVE-2022-23960the other zero-day bug fixed this month.

Learn more: Microsoft is sounding the last and last call for users to migrate away from Basic Authentication

CVE-2022-23960 is a cache speculation restriction vulnerability, commonly referred to as Spectre-BHB, residing in ARM64-based systems. CVE-2022-23960 was discovered in March 2022 by researchers from VUSec or Systems and Network Security Group at the Vrije Universiteit Amsterdam.

CVE-2022-23960 allows arbitrary kernel memory leaks on modern Intel processors. This also impacts recent Arms Cortex-A and Neoverse cores. Both Intel and Arms acknowledged the Spectre-BHB flaw in the respective notices. “This vulnerability is a variant of Specter v2, which has repeatedly reinvented itself and affected various processor architectures since its discovery in 2017,” Jogi added.

“This class of vulnerabilities poses a big headache for organizations trying to mitigate them, as they often require updates to operating systems, firmware, and in some cases application recompilation and hardening. if an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information.”

Five Critical Vulnerabilities Fixed in September Patch Tuesday

All five critical vulnerabilities were patched this month (17 in August) are remote code execution (RCE) flaws in three different Microsoft products/product components. With a CVSS score of 9.8, three of the five critical vulnerabilities are as good as possible for attackers.

The five critical vulnerabilities are:


Exists in CVSS Rating Type
CVE-2022-34721 Windows Internet Key Exchange (IKE) Protocol Extensions 9.8



Windows Internet Key Exchange (IKE) Protocol Extensions 9.8 CRE
CVE-2022-34718 WindowsTCP/IP 9.8



Microsoft Dynamics 3658 on-premises 8.8 CRE
CVE-2022-35805 Microsoft Dynamics 3658 on-premises 8.8


Microsoft noted that CVE-2022-34721 and CVE-2022-34722 are less likely to be exploited. However, Walters told Spiceworks that “both have low operational complexity and allow threat actors to perform the attack without user interaction. An unauthenticated attacker could send a specially crafted IP packet to a target machine running Windows and having IPSec enabled, which could allow remote code execution.

“This vulnerability only affects IKEv1 and not IKEv2; however, all Windows servers are affected as they accept both V1 and V2 packages. There are no exploits or PoCs detected in the wild yet; however, installing the patch is highly recommended.

Learn more: Google ships emergency update for sixth Chrome Zero-day vulnerability in 2022

CVE-2022-34718 is the only critical vulnerability that is “more likely” to be exploited, according to Microsoft. It requires no user interaction to allow an unauthenticated attacker to execute code and elevate privileges. “This officially places it in the ‘wormable’ category and earns it a CVSS rating of 9.8,” wrote Dustin Childs of Trend Micro’s Zero Day Initiative.

The only reason CVE-2022-34718 failed to earn the maximum score of 10 is that only systems with IPv6 enabled and configured with IPSec are vulnerable. “The Windows TCP/IP Remote Code Execution Vulnerability, identified as CVE-2022-34724, is a critical vulnerability that is more likely than the previous two to be exploited,” Walters said.

“If a system doesn’t need the IPsec service, disable it as soon as possible. The attack can succeed when an adversary sends a specially crafted IPv6 packet to a Windows node where IPsec is enabled and performs remote code execution (RCE). This vulnerability can be exploited in supply chain attacks where contractor and customer networks are connected by an IPsec tunnel. If you have IPsec tunnels in your Windows infrastructure, this update is required.

Finally, CVE-2022-34700 and CVE-2022-35805 also have low attack complexity but are nonetheless critical.

Of the 121 fixes deployed on Patch Tuesday in September,

  • 25 involved RCE vulnerabilities
  • 19 for EoP vulnerabilities
  • Seven for information disclosure vulnerabilities
  • Seven for denial of service vulnerabilities
  • Four for security feature bypass vulnerabilities

September’s Patch Tuesday is the third since Microsoft Autopatch became generally available. Schroeder highlighted the importance of the automated update download and installation tool.

“Autopatch should make these updates seamless for most organizations, and they won’t have to worry about their systems. For those who have not activated the feature and can benefit from it, it is advisable to activate it now,” he said.

“However, when Autopatch is not feasible, it is essential to have a well-oiled patch management process that identifies patches, even those that come out before Patch Tuesdays. These patches should be applied to all systems concerned within 14 days, which is the Cyber ​​Essentials requirement, or sooner.

Let us know if you enjoyed reading this news on LinkedIn, TwitterWhere Facebook. We would like to hear from you!



Comments are closed.