Microsoft security alert.
September 13, 2022
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 60 vulnerabilities that were fixed in 14 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 14 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft SharePoint Server and Foundation Update for September 2022
- Severity
- Critical 4
- Qualys ID
- 110415
- Vendor Reference
- KB5002142, KB5002159, KB5002257, KB5002258, KB5002264, KB5002267, KB5002269, KB5002270, KB5002271
- CVE Reference
- CVE-2022-35823, CVE-2022-37961, CVE-2022-38008, CVE-2022-38009
- CVSS Scores
- Base 9 / Temporal 7
- Description
-
Microsoft has released September 2022 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB5002271
KB5002258
KB5002264
KB5002267
KB5002269
KB5002159
KB5002270
KB5002257
KB5002142
QID Detection Logic:
This authenticated QID checks the file versions from above Microsoft KB article with the versions on affected SharePoint system. - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
KB5002271
KB5002258
KB5002264
KB5002267
KB5002269
KB5002159
KB5002270
KB5002257
KB5002142
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft SharePoint Foundation and SharePoint Server
-
Microsoft Office Security Update for September 2022
- Severity
- Critical 4
- Qualys ID
- 110416
- Vendor Reference
- KB5002016, KB5002017, KB5002166, KB5002178
- CVE Reference
- CVE-2022-37962, CVE-2022-37963, CVE-2022-38010
- CVSS Scores
- Base 6.8 / Temporal 5.3
- Description
-
Microsoft has released September 2022 security updates to fix multiple security vulnerabilities.
This security update contains the following:
- Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
KB5002166
KB5002178
KB5002016
KB5002017
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft office September 2022
-
Microsoft Visual Studio Code Security Update for September 2022
- Severity
- Serious 3
- Qualys ID
- 377590
- Vendor Reference
- CVE-2022-38020
- CVE Reference
- CVE-2022-38020
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux.
Affected Versions:
Visual studio code prior to version 1.71.1
QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of Visual Studio Code.
- Consequence
-
Visual Studio Code is prone to Elevation of Privilege Vulnerability.
- Solution
-
Customers are advised to refer to CVE-2022-38020 and for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-38020
-
Microsoft Dynamics 365 Security Update for September 2022
- Severity
- Critical 4
- Qualys ID
- 91937
- Vendor Reference
- CVE-2022-34700, CVE-2022-35805
- CVE Reference
- CVE-2022-34700, CVE-2022-35805
- CVSS Scores
- Base 9 / Temporal 6.7
- Description
-
Microsoft Dynamics 365 is a product line of enterprise resource planning and customer relationship management intelligent business applications.
Affected Software:
Microsoft Dynamics 365 (on-premises) V9.0
Microsoft Dynamics 365 (on-premises) V9.1QID Detection Logic(Authenticated):
This authenticated QID flags vulnerable systems by detecting Vulnerable versions for file Microsoft.Crm.Setup.Server.exe:
- Consequence
- Successful exploitation of this vulnerability can result in remote code execution.
- Solution
-
Customers are advised to refer to CVE-2022-34700 and CVE-2022-35805for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-34700
CVE-2022-35805
-
Microsoft Visual Studio Security Update for September 2022
- Severity
- Critical 4
- Qualys ID
- 91938
- Vendor Reference
- CVE-2022-38013
- CVE Reference
- CVE-2022-38013
- CVSS Scores
- Base 7.8 / Temporal 5.8
- Description
-
Microsoft has released security Updates for Visual Studio which resolve Remote Code Execution Vulnerabilities.
Affected Software:
Microsoft Visual Studio 2022 version 17.2
Microsoft Visual Studio 2022 version 17.0
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft Visual Studio 2022 version 17.3
Visual Studio 2022 for Mac version 17.3QID Detection Logic: Authenticated : Windows
This QID detects vulnerable versions of Microsoft Visual Studio by checking the registry key "HKLM\SOFTWARE\Microsoft" and file "evenv.exe" to check the version of the Visual Studio.
QID Detection Logic: Authenticated : MacOs
This QID detects vulnerable versions of Microsoft Visual Studio by checking the "Visual Studio.app" location and checking version for this.
- Consequence
-
Vulnerable versions of Microsoft Visual Studio are prone to Denial of Service Vulnerability.
- Solution
-
Customers are advised to refer to CVE-2022-38013 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-38013
-
Microsoft .NET Framework Remote Code Execution (RCE) Vulnerability for September 2022
- Severity
- Serious 3
- Qualys ID
- 91939
- Vendor Reference
- KB5017305, KB5017315, KB5017358, KB5017361, KB5017365, KB5017367, KB5017370, KB5017371, KB5017373, KB5017377, KB5017497, KB5017498, KB5017499, KB5017500, KB5017501
- CVE Reference
- CVE-2022-26929
- CVSS Scores
- Base 7.2 / Temporal 5.3
- Description
-
A Remote Code Execution (RCE) Vulnerability exist in Microsoft .Net Framework.
Following KBs are covered in this detection:
KB5017498
KB5017501
KB5017315
KB5017367
KB5017365
KB5017370
KB5017377
KB5017361
KB5017373
KB5017497
KB5017500
KB5017499
KB5017358
KB5017371
KB5017305
This security update is rated Important for supported versions of Microsoft .NET Framework..NET Framework 2.0, 3.0, 3.5, 3.5.1, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, and 4.8.1
QID Detection Logic (Authenticated):
Checks for vulnerable version of ntoskrnl.exe or Mscorlib.dll for the respective .Net Framework KBs
- Consequence
-
Successful exploitation allows a attacker to cause Remote Code Execution (RCE) Vulnerability.
- Solution
-
Customers are advised to refer to CVE-2022-26929 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-26929
-
Microsoft Windows Security Update for September 2022
- Severity
- Critical 4
- Qualys ID
- 91940
- Vendor Reference
- KB5017305, KB5017308, KB5017315, KB5017316, KB5017327, KB5017328, KB5017358, KB5017361, KB5017365, KB5017367, KB5017370, KB5017371, KB5017373, KB5017377, KB5017392
- CVE Reference
- CVE-2022-26928, CVE-2022-30170, CVE-2022-30196, CVE-2022-30200, CVE-2022-33647, CVE-2022-33679, CVE-2022-34719, CVE-2022-34720, CVE-2022-34721, CVE-2022-34722, CVE-2022-34723, CVE-2022-34725, CVE-2022-34726, CVE-2022-34727, CVE-2022-34728, CVE-2022-34729, CVE-2022-34730, CVE-2022-34731, CVE-2022-34732, CVE-2022-34733, CVE-2022-34734, CVE-2022-35803, CVE-2022-35831, CVE-2022-35832, CVE-2022-35833, CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, CVE-2022-35837, CVE-2022-35838, CVE-2022-35840, CVE-2022-35841, CVE-2022-37954, CVE-2022-37955, CVE-2022-37956, CVE-2022-37957, CVE-2022-37958, CVE-2022-37964, CVE-2022-37969, CVE-2022-38004, CVE-2022-38005, CVE-2022-38006, CVE-2022-38011, CVE-2022-38019
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
Microsoft Windows Security Update - September 2022
QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2012, Windows 8.1, Windows Server 2008, Windows Server 2016, Windows 10, Windows 7, Windows Server 2019, Windows Server 2022, Windows 11
The KB Articles associated with the update:
The patch version is 6.3.9600.20564 (KB5017367)
The patch version is 6.0.6003.21661 (KB5017358)
The patch version is 6.0.6003.21661 (KB5017371)
The patch version is 10.0.14393.5356 (KB5017305)
The patch version is 6.2.9200.23861 (KB5017370)
The patch version is 6.2.9200.23861 (KB5017377)
The patch version is 6.3.9600.20564 (KB5017365)
The patch version is 6.1.7601.26111 (KB5017361)
The patch version is 6.1.7601.26111 (KB5017373)
The patch version is 10.0.10240.19444 (KB5017327)
The patch version is 10.0.17763.3406 (KB5017315)
The patch version is 10.0.19041.2006 (KB5017308)
The patch version is 10.0.20348.1006 (KB5017316)
The patch version is 10.0.22000.978 (KB5017328)
This QID checks for the file version of ntoskrnl.exe
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the Following KB Articles associated with the update:
KB5017367
KB5017358
KB5017371
KB5017305
KB5017370
KB5017377
KB5017365
KB5017361
KB5017373
KB5017327
KB5017315
KB5017308
KB5017316
KB5017328
Patches:
The following are links for downloading patches to fix these vulnerabilities:
5017305
5017308
5017315
5017316
5017327
5017328
5017358
5017361
5017365
5017367
5017370
5017371
5017373
5017377
-
Microsoft .NET Security Update for September 2022
- Severity
- Critical 4
- Qualys ID
- 91941
- Vendor Reference
- CVE-2022-38013
- CVE Reference
- CVE-2022-38013
- CVSS Scores
- Base 7.8 / Temporal 5.8
- Description
-
Microsoft has released a security Update for .NET which resolves Denial of Service Vulnerability.
This security update is rated Important for affected versions of .NETAffected versions:
.NET 6.0 before version 6.0.9
.NET Core 3.1 before version 3.1.29
QID Detection Logic: Authenticated- Windows
This QID detects vulnerable versions of Microsoft .NET Core by checking the file version on windows and the installation path and file name ".version".
QID Detection Logic: Authenticated- Linux
This QID is executing the command "ls -d /usr/share/dotnet/shared/Microsoft.NETCore.App/*" or "ls -d /root/shared/Microsoft.NETCore.App/*" to check the Microsoft .NET Core versions.
QID Detection Logic: Authenticated-MacOs
This QID is executing the command "ls -d /usr/local/share/dotnet/shared/Microsoft.NETCore.App/*" to check the .NETCore.App versions.
- Consequence
-
Vulnerable versions of Microsoft .NET are prone to Denial of Service Vulnerability.
- Solution
-
Customers are advised to refer to CVE-2022-38013 for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-38013
-
Microsoft Windows Domain Name System (DNS) Server Denial of Service (DoS) Vulnerability for September 2022
- Severity
- Critical 4
- Qualys ID
- 91942
- Vendor Reference
- CVE-2022-34724
- CVE Reference
- CVE-2022-34724
- CVSS Scores
- Base 7.8 / Temporal 5.8
- Description
-
Microsoft Windows Security Update - September 2022
The KB Articles associated with the update:
5017367
5017365
5017370
5017377
5017361
5017373
5017358
5017371
5017305
5017316
5017315QID Detection Logic (Authenticated):
This QID checks for the file version of dns.exe
- Consequence
-
Successful exploitation of the vulnerability may result in Denial Of Service.
- Solution
-
Vendor has released patch. Please refer to CVE-2022-34724 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5017305
KB5017315
KB5017316
KB5017358
KB5017361
KB5017365
KB5017367
KB5017370
KB5017371
KB5017373
KB5017377
-
Microsoft Windows Remote Procedure Call Runtime Remote Code Execution (RCE) Vulnerability for September 2022
- Severity
- Critical 4
- Qualys ID
- 91943
- Vendor Reference
- CVE-2022-35830
- CVE Reference
- CVE-2022-35830
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Windows Remote Procedure Call runtime is vulnerable to remote code execution vulnerability.
The KB Articles associated with the update:
5017367
5017365
5017370
5017377
5017361
5017373
5017358
5017371
5017305
5017316
5017315QID Detection Logic (Authenticated):
This QID checks for the file version of ntoskrnl.exe
- Consequence
-
An unauthenticated attacker on local networks could spoof their IP address as localhost and access functionality in portmap.sys intended to only be reachable from localhost.
- Solution
-
Vendor has released patch. Please refer to CVE-2022-35830 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5017305
KB5017315
KB5017316
KB5017358
KB5017361
KB5017365
KB5017367
KB5017370
KB5017371
KB5017373
KB5017377
-
Microsoft Windows Network Device Enrollment Service (NDES) Security Feature Bypass Vulnerability
- Severity
- Serious 3
- Qualys ID
- 91944
- Vendor Reference
- KB5017305, KB5017315, KB5017316, KB5017365, KB5017367
- CVE Reference
- CVE-2022-37959
- CVSS Scores
- Base 7.8 / Temporal 5.8
- Description
-
Microsoft Windows Security Update - September 2022
QID Detection Logic (Authenticated):
Operating Systems:
The KB Articles associated with the update:
The patch version is 6.3.9600.20564 (KB5017367)
The patch version is 6.3.9600.20564 (KB5017365)
The patch version is 10.0.14393.5356 (KB5017305)
The patch version is 10.0.20348.1006 (KB5017316)
The patch version is 10.0.17763.3406 (KB5017315)
This QID checks for the file version of ntoskrnl.exe
- Consequence
-
An attacker who successfully exploited this could bypass the Network Device Enrollment (NDES) Services' cryptographic service provider.
- Solution
-
Please refer to the Following KB Articles associated with the update:
KB5017367
KB5017365
KB5017305
KB5017316
KB5017315
Patches:
The following are links for downloading patches to fix these vulnerabilities:
5017305
5017315
5017316
5017365
5017367
-
Microsoft Azure Stack Hub Security Updates for September 2022
- Severity
- Critical 4
- Qualys ID
- 91945
- Vendor Reference
- Azure Stack Hub
- CVE Reference
- CVE-2022-26928, CVE-2022-30170, CVE-2022-30196, CVE-2022-30200, CVE-2022-33647, CVE-2022-33679, CVE-2022-34718, CVE-2022-34719, CVE-2022-34720, CVE-2022-34721, CVE-2022-34722, CVE-2022-34724, CVE-2022-34725, CVE-2022-34726, CVE-2022-34727, CVE-2022-34728, CVE-2022-34729, CVE-2022-34730, CVE-2022-34731, CVE-2022-34732, CVE-2022-34733, CVE-2022-34734, CVE-2022-35803, CVE-2022-35830, CVE-2022-35831, CVE-2022-35832, CVE-2022-35833, CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, CVE-2022-35837, CVE-2022-35840, CVE-2022-35841, CVE-2022-37954, CVE-2022-37955, CVE-2022-37956, CVE-2022-37957, CVE-2022-37958, CVE-2022-37959, CVE-2022-37969, CVE-2022-38004, CVE-2022-38005, CVE-2022-38006
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
Azure Stack Hub is an extension of Azure that provides a way to run apps in an on-premises environment and deliver Azure services in your datacenter.
A complete Qualys vulnerability scan report for Microsoft Azure Stack Hub can be obtained at Azure Stack Vulnerability Scan Report.
QID Detection Logic (Authenticated):
This QID checks for the file version of ntoskrnl.exe, if this file version is less than 10.0.17763.10964, it is considered as vulnerable.
- Consequence
-
Successful exploitation of these vulnerabilities might allow an attacker to perform Information Disclosure, Elevation of Privileges, Security Feature Bypass, Remote Code Execution, and Denial of Service attacks.
- Solution
-
Customers are encouraged to connect with Microsoft for obtaining more information about patches and upcoming releases.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Azure Stack Hub
-
Microsoft Windows Codecs Library RawImageExtensions and AV1 Extensions Remote Code Execution (RCE) Vulnerability for September 2022
- Severity
- Critical 4
- Qualys ID
- 91946
- Vendor Reference
- CVE-2022-38011, CVE-2022-38019
- CVE Reference
- CVE-2022-38011, CVE-2022-38019
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory.
Affected Product:
RawImageExtension from Device Manufacturer" media codec before version 2.0.32061.0AV1 from Device Manufacturer" media codec before version 1.1.52074.0
QID detection Logic:
The gets the version of AV1VideoExtension by querying wmi class Win32_InstalledStoreProgram. - Consequence
-
An attacker who successfully exploited this vulnerability can compromise confidentiality, integrity and availability of the system
- Solution
-
Users are advised to check CVE-2022-38019,
CVE-2022-38011 for further details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-38011
CVE-2022-38019
-
Microsoft Windows Transmission Control Protocol/Internet Protocol (TCP/IP) Remote Code Execution (RCE) Vulnerability
- Severity
- Critical 4
- Qualys ID
- 91947
- Vendor Reference
- CVE-2022-34718
- CVE Reference
- CVE-2022-34718
- CVSS Scores
- Base 10 / Temporal 7.8
- Description
-
Microsoft has released updated affecting Windows TCP/IP implementation to fix a Remote Code Excution Vulnerability.
The vulnerability is applicable if IPSec service is running. Hosts are not affected if IPv6 is disabled on it. QID Detection Logic (Authenticated):
Operating Systems: Windows Server 2012, Windows 8.1, Windows Server 2008, Windows Server 2016, Windows 10, Windows 7, Windows Server 2019, Windows Server 2022, Windows 11
The KB Articles associated with the update:
The patch version is 6.3.9600.20564 (KB5017367)
The patch version is 6.0.6003.21661 (KB5017358)
The patch version is 6.0.6003.21661 (KB5017371)
The patch version is 10.0.14393.5356 (KB5017305)
The patch version is 6.2.9200.23861 (KB5017370)
The patch version is 6.2.9200.23861 (KB5017377)
The patch version is 6.3.9600.20564 (KB5017365)
The patch version is 6.1.7601.26111 (KB5017361)
The patch version is 6.1.7601.26111 (KB5017373)
The patch version is 10.0.10240.19444 (KB5017327)
The patch version is 10.0.17763.3406 (KB5017315)
The patch version is 10.0.19041.2006 (KB5017308)
The patch version is 10.0.20348.1006 (KB5017316)
The patch version is 10.0.22000.978 (KB5017328)
This QID checks for the file version of ntoskrnl.exe. The QID additionally checks if IPv6 and IPSec is enabled on the host.
- Consequence
-
Successful exploitation of the vulnerability will allow remote code execution.
- Solution
-
Please refer to the Following KB Articles associated with the update:
KB5017367
KB5017358
KB5017371
KB5017305
KB5017370
KB5017377
KB5017365
KB5017361
KB5017373
KB5017327
KB5017315
KB5017308
KB5017316
KB5017328
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2022-34718
These new vulnerability checks are included in Qualys vulnerability signature 2.5.580-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 110415
- 110416
- 377590
- 91937
- 91938
- 91939
- 91940
- 91941
- 91942
- 91943
- 91944
- 91945
- 91946
- 91947
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.