June 2022 patch day review: Windows update issues, Intel vulnerability, documentation fails

Windows[German]The security updates released on June 14, 2022, closes numerous vulnerabilities. But there are also issues, for example with VMs and when using ESET security solutions. I've noticed also that Microsoft is becoming more and more sparse with details in its KB articles – you have to hunt down the information. Also, vulnerabilities have been quietly patched in Microsoft Azure after pressure from security researchers. Below is a summary of miscellaneous information, observations, and notices of issues for the June 2022 patch day.


Advertising

Vulnerabilities fixed

The June 2022 security updates fix 55 vulnerabilities, including one as a 0-day (MSDT "Follina"), in Microsoft products (see Microsoft patches Follina vulnerability (CVE-2022-30190) in Windows with June 2022 updates ). A list of all covered CVEs can be found on this Microsoft page. Tenable also has this blog post with an overview of the fixed vulnerabilities – I had pulled out the list in the blog post Microsoft Security Update Summary (June 14, 2022).

The Dogwalk vulnerability does not get a fix – I had already addressed this in the blog post Windows MSDT 0-day vulnerability "DogWalk" receives 0patch fix.

June 2022 updates problem reports

Currently, the feedback from users regarding problems in connection with the June 2022 updates is still limited. I mentioned in the blog posts that the installation order of the patches is to be observed for Windows Server (DCs last).

Virtual machines (VMs) hang

German blog reader Daniel N. contacted me by mail and reported that in his company environment he observed that virtual machines hang on startup after the update.

Today is patchday again. A small bug: we see some VMs that hang at startup, a reboot fixes it. Nevertheless, you have to intervene, so in highly automated environments you should be ready.

Daniel pointed me to this Novotext blog post where this was also mentioned – there were VMs with:

  • Windows Server 2016
  • Windows Server 2019

were affected. Thanks to Daniel for pointing this out. Since ESET is mentioned below as the source of the problem, I checked with Daniel. They also use ESET, but exclude a connection (Quote: Interesting – yes ESET is also in use. But not always with this error pattern, we had already checked).


Advertising

Windows 11: Hyper-V stalls

German blog reader Dave came forward with a report about issues with Hyper-V on a Windows 11 test machine. He wrote here:

On Windows 11, Hyper-V no longer runs on the test machine after installing KB5014697.

Exits with snap in could not be created. No CLSID.

1Password also throws down an error message.

Dave writes that .NET Framework 4.8 was usually the cause in the past. But the package is not installed in this case.

ESET causes server hung during reboot

In a comment thread on the German post Microsoft Security Update Summary (14. Juni 2022), LeMajors reported that two of his servers won't boot up after installing KB5014692. The cause in this case is an ESET antivirus solution, and Dominik wrote about it:

Make sure there are no Windows updates pending on your server and no reboot scheduled due to Windows updates or any other reason. If you try to run an in-place upgrade on a computer with a pending Windows Update or reboot, the existing version of ESET Security for Microsoft SharePoint may not be properly removed. Also, you may encounter problems if you try to manually remove the old version of ESET Security for Microsoft SharePoint afterwards.

The source is probably the ESET help for updating to new program versions.

Backup issues on Windows Server

The colleagues from Bleeping Computer point out in this article that due to the fix of the Elevation of Privilege vulnerability CVE-2022-30154 for the Microsoft File Server Shadow Copy Agent Service, problems with backups can occur. Microsoft has documented this in the KB article as well:

To become protected and functional, you must install the June 14, 2022 or later Windows update on both the application server and the file server. The application server runs the Volume Shadow Copy Service (VSS)-enabled application, which stores data on the remote server Message Block 3.0 (or later) shares on a file server. The file server hosts the file shares. If you do not install the update on both computer roles, backup operations performed by applications that previously worked may fail. In such failure scenarios, the Microsoft File Server Shadow Copy Agent service logs FileShareShadowCopyAgent event 1013 on the file server. For more information, see KB5015527.

WMI queries are rejected

Arne reported within this German comment that Windows updates are the root cause, the WMI queries from the monitor system (icinga2) no longer work ("NTSTATUS: NT_STATUS_ACCESS_DENIED – Access denied").

For me the WMI queries from my monitor system (icinga2) do not work anymore ("NTSTATUS: NT_STATUS_ACCESS_DENIED – Access denied").

A test with the WMI Explorer under Windows showed that it works as usual with computers in the same domain. If the Windows computer is not a member of the domain no logon to WMI is possible.

The issue affects Windows Server 2012 and Windows Server 2019 for me.

Maybe it's a single case, I haven't seen other reports so far. But there was a hint linking to this article from Palo Alto Networks.

Shared Folders and Zebra Printers

Furthermore, there is a single note in this comment that there are problems with shared folders (folder shares) under Windows 7 SP1. And in the reddit.com mega-thread here are vague hints about security settings for DCOM (from February 2022) that can cause problems – since "hardening" will be enabled on June 14, 2022. From Checkpoint there is a corresponding warning Check Point response to CVE-2021-26414 – "Windows DCOM Server Security Feature Bypass" (Nov. 2021).

There is also a note in the Mega thread about problems with printers, quote: I've had two patch problems and that was breaking Dynamo printers and Zebra g420k printers. All windows running srv 2022 with inplace upgrades.

Missing details in Microsoft documentation

When browsing through the descriptions for the respective security updates, I noticed that the description of the fixes since the last 2 months is extremely scarce. There is only a general note that what has been fixed and possibly one or two highlighted items. However, in the cumulative updates for Windows 10/11 and Server, there are many more bugs fixed.

I had already pointed this out in the posts on Windows 10 and Windows 11. Those looking for details on the fixes for June 2022 will have to check the descriptions of the preview updates of the previous weeks (see also the list of posts linked at the end of the article).

Criticism from security researchers

Microsoft's vulnerability handling and documentation policy is also receiving criticism from security experts. Claire Tills, senior research engineer at Tenable, comments on the latest Patch Tuesday:

This month's Patch Tuesday release includes fixes for 55 CVEs – three of which are rated critical and 52 of which are rated important.

Microsoft fixes CVE-2022-30136, a vulnerability in the network file system that can be exploited by an unauthenticated attacker and receives a CVSSv3 score of 9.8. This vulnerability does not affect versions 2 and 3 of NFS. As a workaround, Microsoft has suggested disabling NFS version 4.1. However, this may have an adverse impact on systems, especially for organizations that have not applied the May 2022 security update for CVE-2022-26937. Whenever possible, organizations are strongly advised to update their systems with the latest patches.

Patches for CVE-2022-30190, the Zero Day known as Follina that was disclosed in late May, are also included in this month's release. In the run-up to Patch Tuesday, there was much speculation about whether Microsoft would release patches, as Microsoft initially downplayed the vulnerability and it was widely publicized in the weeks following its disclosure.

As for Microsoft's troubling behavior of downplaying legitimate security concerns, Tenable researcher Jimi Sebree discovered and published two vulnerabilities in Microsoft's Azure Synapse Analytics. Of these, one has been patched and one has not. Neither vulnerability has been assigned a CVE number or documented in Microsoft's June Security Update Guide.

Tills notes that at the moment, however, there is very little information available from Microsoft. Regarding the above vulnerabilities discovered by Tenable researcher Jimi Sebree, Tenable CEO Amit Yoran stated:

After we assessed the situation, Microsoft decided to quietly patch one of the issues and downplay the risk. It wasn't until they learned we were going public that their story changed….

89 days after the vulnerability was first reported …  when they privately acknowledged the severity of the security issue. To date, Microsoft customers have not been notified.

Tenable security experts' opinion: Without timely and detailed disclosure, customers have no idea whether they were or are vulnerable to attack, or whether they were victims of an attack before a vulnerability was closed. By not notifying customers, they are denied the opportunity to search for evidence of whether or not they were compromised – a grossly irresponsible policy.

SynLapse-Sicherheitslücke (CVE-2022-29972)

I hear something similar from Orca Security, which faults Microsoft's slow response in fixing the SynLapse vulnerability. In a message I received, their security researchers write:

Despite SynLapse (CVE-2022-29972) being a critical vulnerability, it has taken Microsoft over 100 days to take the necessary steps to fix the vulnerability.

It is a critical vulnerability in Microsoft Azure Synapse Analytics that also affected Azure Data Factory. It allowed attackers to bypass client separation while gaining the following capabilities:

  • Gain credentials for other Azure Synapse customer accounts.
  • Control over their Azure Synapse workspaces.
  • Execute code on targeted customer machines within the Azure Synapse Analytics service.
  • Exposing customer credentials to data sources outside of Azure.

An attacker with only the name of an Azure Synapse workspace could spy on a victim's credentials entered into Synapse (see this Vimeo video). Orca Security published this blog post on the topic. Orca has waited until now to release it to give Synapse customers time to patch their local versions and reconsider their use of Azure Synapse. MSRC has made several improvements and continues to work on comprehensive Tenant isolation.

What is Azure Synapse Analytics?

Azure Synapse Analytics imports and processes data from many customer data sources (e.g. CosmosDB, Azure Data Lake, and external sources such as Amazon S3). Each Synapse instance is referred to as a workspace. To import and process data from an external data source, a customer enters credentials and relevant data, then connects to that source via an Integration Runtime – a machine that connects to many different data sources.

Integration Runtimes can either be self-hosted (on-premises) or hosted in the Azure Cloud (via the Azure Data Factory Integration Runtime). Azure IRs hosted in the cloud can also be configured with a Managed Virtual Network (VNet) to use private endpoints for external connections, which can provide additional layers of isolation.

How critical was SynLapse?

SynLapse allowed attackers to access Synapse resources owned by other customers through an internal Azure API server that manages integration runtimes. Knowing the name of a workspace, the Orca team was able to perform the following:

  • Gain authorization within other customer accounts while acting as a Synapse workspace. Depending on the configuration, the team could have accessed even more resources within a customer account.
  • Reading credentials that customers have stored in their Synapse workspace.
  • Communicating with other customers' integration runtimes. The Orca team could use this to run remote code (RCE) on any customer's Integration Runtimes.
  • Control over the Azure batch pool that manages all shared Integration Runtimes. Orca was able to execute code on any instance.

After discussions with Microsoft, Orca Security now believes that Azure Synapse Analytics is secure and provides sufficient tenant isolation. For this reason, Orca has removed the Synapse alerts from the Orca Cloud Security platform. However, the incident shows that the more common statement about bugs in patches on on-premises systems driving customers towards the Microsoft cloud because everything is more secure there and Microsoft patches quickly does not really seem to be true.

Hertzbleed vulnerability in processors

Teams of researchers from the University of Texas at Austin, the University of Illinois Urbana-Champaign and the University of Washington have discovered a new vulnerability called Hertzbleed in processors from Intel and AMD. The new side-channel attack allows remote attackers to steal full cryptographic keys by observing fluctuations in CPU frequency enabled by dynamic voltage and frequency scaling (DVFS). This is possible because in modern x86 processors from Intel (CVE-2022-24436) and AMD (CVE-2022-23823), dynamic frequency scaling depends on power consumption and processed data.

The colleagues from Bleeping Computer report here that AMD and Intel do not plan any fixes for this. Intel has issued the advisory Advisory INTEL-SA-00698 and AMD the Bulletin AMD-SB-1038. Microsoft has published ADV220002 (Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities).

There is a follow up article: June 2022 Patchday issues (part 2): RDP, VPN, WLAN, hotspot connection and more

Similar articles:
Microsoft Security Update Summary (June 14, 2022)
Patchday: Windows 10-Updates (June 14, 2022)
Patchday: Windows 11/Server 2022 Updates (June 14, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (June 14, 2022)

Follina: Angriff über Word-Dokumente und ms-msdt-Protokoll (CVE-2022-30190)
Follina-Schwachstelle (CVE-2022-30190): Status, Erkenntnisse, Warnungen & Angriffe
0Patch Micro-Patch gegen Follina-Schwachstelle (CVE-2022-30190) in Windows
Follina (CVE-2022-30190): Angriffswelle ausgeblieben, aber Kampagnen auf EU/US und andere Ziele
Follina-Schwachstelle (CVE-2022-30190): Neue Erkenntnisse, neue Risiken (9.6.2022)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Update, Windows and tagged , , , , . Bookmark the permalink.

14 Responses to June 2022 patch day review: Windows update issues, Intel vulnerability, documentation fails

  1. anonymous says:

    After installing June cumulative update for Windows 10 21H2 if Internet Connection Sharing is enabled on a network connection that connection loses Internet access.

  2. Software tester says:

    A strange Mobile Hotspot issue occurs after the KB5014697 update

    For example, after installing the update, open the Mobile hotspot and connect to this network with your mobile phone, your Laptop internet will be cut off instantly. But Mobile hotspot will continue to broadcast. It seems they made a mistake, allowing only one connection type. My test system is an old laptop (8-9 years old) with Windows 11.
    As always, Microsoft continues to release updates without proper testing. The only way to fix the error is to remove the new update, for this, run CMD with administrator privileges and give the following command
    wusa /uninstall /kb:5014697

  3. Advertising

  4. Sebastian says:

    Dear community,

    we use the Paessler PRTG Monitoring Tool and after the June 22 updates we also lost the connection to our customers "probe servers".

    The interruption is related to the error in the WMI query described above. We uninstalled the update again and the connection could be restored. We currently have the update service disabled on these servers. Is there already a solution for this?

    Regards.

  5. Chris Pugson says:

    Thank you Gunter. The information you provide is invaluable.

  6. richard says:

    Updated on 06/17/2022 The update erased my audio drivers and eliminated power supply to other drivers. Waiting on support, 1st fix from Microsoft was no fix.

  7. Sean Herman says:

    I also have problems with PRTG IFF the monitored server is not on the same domain.

  8. Jhon says:

    Hi,

    is there any solution for the WMI Sensors after the Windows Update from June 2022?

    Thanks

  9. Francis says:

    Same issue all servers that been patched by June failing to connect to prtg via WMI servers connecting to probe.

  10. Hassan says:

    Hi all,
    We use the PRTG monitoring tool too, after this update, some of our WMI sensors don't work. The error is "Connection could not be established (80070005: Access Denied) (Code: PE015)".

    Some other WMI sensors work at the moment. I am completely confused. Parent credentials and other settings are the same as other WMI sensors, but I didn't succeed to find a reason for this issue.

    Has anyone an idea?
    Thanks and best regards,
    Hassan

  11. Marvin says:

    Hi,
    is there any Updates to this Problem. I have more than 20 Servers and all the WMI Sensors are still not working

    Thanks Alot

Leave a Reply

Your email address will not be published.