September 2022 Patch Tuesday - from zero-days to wormable exploits

Microsoft's September 2022 Patch Tuesday release includes fixes for a total of 63 flaws, 5 rated as critical. According to impact, most of the flaws allow either remote code execution or elevation of privilege.

As always, security practitioners should focus on those rated as Critical, particularly if those have "wormable" potential, i.e. exploitation without user interaction. Also, those actively exploited in the wild at the time of disclosure deserve special attention as these are proper zero-day vulnerabilities.

Based on these criteria, here's what should be prioritized:

• CVE-2022-37969 - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability. This one has been publicly disclosed prior to a patch being available, and so made it into the threat actors' arsenal: it is actively being exploited in the wild. Fortunately, it can be exploited only after an attacker has gained a foothold onto a vulnerable system via other means, including exploiting a separate vulnerability or through social engineering.

• CVE-2022-34718 - Windows TCP/IP Remote Code Execution Vulnerability. This vulnerability can only be exploited against systems with Internet Protocol Security (IPsec) enabled (Windows service "IPsec Policy Agent" should be running). Although not many Windows systems are enabling this service, an unauthenticated attacker can send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine. This means CVE-2022-34718 has "wormable" potential and so should be prioritized. Related to this one are CVE-2022-34721 and CVE-2022-34722, also IPsec related (IKEv1 protocol), but exploitation here appears to be more difficult.

More details on the vulnerabilities fixed in September 2022 Patch Tuesday are here.