[German]The security updates released on June 14, 2022, closes numerous vulnerabilities. But there are also issues, for example with VMs and when using ESET security solutions. I've noticed also that Microsoft is becoming more and more sparse with details in its KB articles – you have to hunt down the information. Also, vulnerabilities have been quietly patched in Microsoft Azure after pressure from security researchers. Below is a summary of miscellaneous information, observations, and notices of issues for the June 2022 patch day.
The June 2022 security updates fix 55 vulnerabilities, including one as a 0-day (MSDT "Follina"), in Microsoft products (see Microsoft patches Follina vulnerability (CVE-2022-30190) in Windows with June 2022 updates ). A list of all covered CVEs can be found on this Microsoft page. Tenable also has this blog post with an overview of the fixed vulnerabilities – I had pulled out the list in the blog post Microsoft Security Update Summary (June 14, 2022).
The Dogwalk vulnerability does not get a fix – I had already addressed this in the blog post Windows MSDT 0-day vulnerability "DogWalk" receives 0patch fix.
June 2022 updates problem reports
Currently, the feedback from users regarding problems in connection with the June 2022 updates is still limited. I mentioned in the blog posts that the installation order of the patches is to be observed for Windows Server (DCs last).
Virtual machines (VMs) hang
German blog reader Daniel N. contacted me by mail and reported that in his company environment he observed that virtual machines hang on startup after the update.
Today is patchday again. A small bug: we see some VMs that hang at startup, a reboot fixes it. Nevertheless, you have to intervene, so in highly automated environments you should be ready.
Daniel pointed me to this Novotext blog post where this was also mentioned – there were VMs with:
- Windows Server 2016
- Windows Server 2019
were affected. Thanks to Daniel for pointing this out. Since ESET is mentioned below as the source of the problem, I checked with Daniel. They also use ESET, but exclude a connection (Quote: Interesting – yes ESET is also in use. But not always with this error pattern, we had already checked).
Windows 11: Hyper-V stalls
German blog reader Dave came forward with a report about issues with Hyper-V on a Windows 11 test machine. He wrote here:
On Windows 11, Hyper-V no longer runs on the test machine after installing KB5014697.
Exits with snap in could not be created. No CLSID.
1Password also throws down an error message.
Dave writes that .NET Framework 4.8 was usually the cause in the past. But the package is not installed in this case.
ESET causes server hung during reboot
In a comment thread on the German post Microsoft Security Update Summary (14. Juni 2022), LeMajors reported that two of his servers won't boot up after installing KB5014692. The cause in this case is an ESET antivirus solution, and Dominik wrote about it:
Make sure there are no Windows updates pending on your server and no reboot scheduled due to Windows updates or any other reason. If you try to run an in-place upgrade on a computer with a pending Windows Update or reboot, the existing version of ESET Security for Microsoft SharePoint may not be properly removed. Also, you may encounter problems if you try to manually remove the old version of ESET Security for Microsoft SharePoint afterwards.
The source is probably the ESET help for updating to new program versions.
Backup issues on Windows Server
The colleagues from Bleeping Computer point out in this article that due to the fix of the Elevation of Privilege vulnerability CVE-2022-30154 for the Microsoft File Server Shadow Copy Agent Service, problems with backups can occur. Microsoft has documented this in the KB article as well:
To become protected and functional, you must install the June 14, 2022 or later Windows update on both the application server and the file server. The application server runs the Volume Shadow Copy Service (VSS)-enabled application, which stores data on the remote server Message Block 3.0 (or later) shares on a file server. The file server hosts the file shares. If you do not install the update on both computer roles, backup operations performed by applications that previously worked may fail. In such failure scenarios, the Microsoft File Server Shadow Copy Agent service logs FileShareShadowCopyAgent event 1013 on the file server. For more information, see KB5015527.
WMI queries are rejected
Arne reported within this German comment that Windows updates are the root cause, the WMI queries from the monitor system (icinga2) no longer work ("NTSTATUS: NT_STATUS_ACCESS_DENIED – Access denied").
For me the WMI queries from my monitor system (icinga2) do not work anymore ("NTSTATUS: NT_STATUS_ACCESS_DENIED – Access denied").
A test with the WMI Explorer under Windows showed that it works as usual with computers in the same domain. If the Windows computer is not a member of the domain no logon to WMI is possible.
The issue affects Windows Server 2012 and Windows Server 2019 for me.
Maybe it's a single case, I haven't seen other reports so far. But there was a hint linking to this article from Palo Alto Networks.
Shared Folders and Zebra Printers
Furthermore, there is a single note in this comment that there are problems with shared folders (folder shares) under Windows 7 SP1. And in the reddit.com mega-thread here are vague hints about security settings for DCOM (from February 2022) that can cause problems – since "hardening" will be enabled on June 14, 2022. From Checkpoint there is a corresponding warning Check Point response to CVE-2021-26414 – "Windows DCOM Server Security Feature Bypass" (Nov. 2021).
There is also a note in the Mega thread about problems with printers, quote: I've had two patch problems and that was breaking Dynamo printers and Zebra g420k printers. All windows running srv 2022 with inplace upgrades.
Missing details in Microsoft documentation
When browsing through the descriptions for the respective security updates, I noticed that the description of the fixes since the last 2 months is extremely scarce. There is only a general note that what has been fixed and possibly one or two highlighted items. However, in the cumulative updates for Windows 10/11 and Server, there are many more bugs fixed.
I had already pointed this out in the posts on Windows 10 and Windows 11. Those looking for details on the fixes for June 2022 will have to check the descriptions of the preview updates of the previous weeks (see also the list of posts linked at the end of the article).
Criticism from security researchers
Microsoft's vulnerability handling and documentation policy is also receiving criticism from security experts. Claire Tills, senior research engineer at Tenable, comments on the latest Patch Tuesday:
This month's Patch Tuesday release includes fixes for 55 CVEs – three of which are rated critical and 52 of which are rated important.
Microsoft fixes CVE-2022-30136, a vulnerability in the network file system that can be exploited by an unauthenticated attacker and receives a CVSSv3 score of 9.8. This vulnerability does not affect versions 2 and 3 of NFS. As a workaround, Microsoft has suggested disabling NFS version 4.1. However, this may have an adverse impact on systems, especially for organizations that have not applied the May 2022 security update for CVE-2022-26937. Whenever possible, organizations are strongly advised to update their systems with the latest patches.
Patches for CVE-2022-30190, the Zero Day known as Follina that was disclosed in late May, are also included in this month's release. In the run-up to Patch Tuesday, there was much speculation about whether Microsoft would release patches, as Microsoft initially downplayed the vulnerability and it was widely publicized in the weeks following its disclosure.
As for Microsoft's troubling behavior of downplaying legitimate security concerns, Tenable researcher Jimi Sebree discovered and published two vulnerabilities in Microsoft's Azure Synapse Analytics. Of these, one has been patched and one has not. Neither vulnerability has been assigned a CVE number or documented in Microsoft's June Security Update Guide.
Tills notes that at the moment, however, there is very little information available from Microsoft. Regarding the above vulnerabilities discovered by Tenable researcher Jimi Sebree, Tenable CEO Amit Yoran stated:
After we assessed the situation, Microsoft decided to quietly patch one of the issues and downplay the risk. It wasn't until they learned we were going public that their story changed….
89 days after the vulnerability was first reported … when they privately acknowledged the severity of the security issue. To date, Microsoft customers have not been notified.
Tenable security experts' opinion: Without timely and detailed disclosure, customers have no idea whether they were or are vulnerable to attack, or whether they were victims of an attack before a vulnerability was closed. By not notifying customers, they are denied the opportunity to search for evidence of whether or not they were compromised – a grossly irresponsible policy.
I hear something similar from Orca Security, which faults Microsoft's slow response in fixing the SynLapse vulnerability. In a message I received, their security researchers write:
Despite SynLapse (CVE-2022-29972) being a critical vulnerability, it has taken Microsoft over 100 days to take the necessary steps to fix the vulnerability.
It is a critical vulnerability in Microsoft Azure Synapse Analytics that also affected Azure Data Factory. It allowed attackers to bypass client separation while gaining the following capabilities:
- Gain credentials for other Azure Synapse customer accounts.
- Control over their Azure Synapse workspaces.
- Execute code on targeted customer machines within the Azure Synapse Analytics service.
- Exposing customer credentials to data sources outside of Azure.
An attacker with only the name of an Azure Synapse workspace could spy on a victim's credentials entered into Synapse (see this Vimeo video). Orca Security published this blog post on the topic. Orca has waited until now to release it to give Synapse customers time to patch their local versions and reconsider their use of Azure Synapse. MSRC has made several improvements and continues to work on comprehensive Tenant isolation.
What is Azure Synapse Analytics?
Azure Synapse Analytics imports and processes data from many customer data sources (e.g. CosmosDB, Azure Data Lake, and external sources such as Amazon S3). Each Synapse instance is referred to as a workspace. To import and process data from an external data source, a customer enters credentials and relevant data, then connects to that source via an Integration Runtime – a machine that connects to many different data sources.
Integration Runtimes can either be self-hosted (on-premises) or hosted in the Azure Cloud (via the Azure Data Factory Integration Runtime). Azure IRs hosted in the cloud can also be configured with a Managed Virtual Network (VNet) to use private endpoints for external connections, which can provide additional layers of isolation.
How critical was SynLapse?
SynLapse allowed attackers to access Synapse resources owned by other customers through an internal Azure API server that manages integration runtimes. Knowing the name of a workspace, the Orca team was able to perform the following:
- Gain authorization within other customer accounts while acting as a Synapse workspace. Depending on the configuration, the team could have accessed even more resources within a customer account.
- Reading credentials that customers have stored in their Synapse workspace.
- Communicating with other customers' integration runtimes. The Orca team could use this to run remote code (RCE) on any customer's Integration Runtimes.
- Control over the Azure batch pool that manages all shared Integration Runtimes. Orca was able to execute code on any instance.
After discussions with Microsoft, Orca Security now believes that Azure Synapse Analytics is secure and provides sufficient tenant isolation. For this reason, Orca has removed the Synapse alerts from the Orca Cloud Security platform. However, the incident shows that the more common statement about bugs in patches on on-premises systems driving customers towards the Microsoft cloud because everything is more secure there and Microsoft patches quickly does not really seem to be true.
Hertzbleed vulnerability in processors
Teams of researchers from the University of Texas at Austin, the University of Illinois Urbana-Champaign and the University of Washington have discovered a new vulnerability called Hertzbleed in processors from Intel and AMD. The new side-channel attack allows remote attackers to steal full cryptographic keys by observing fluctuations in CPU frequency enabled by dynamic voltage and frequency scaling (DVFS). This is possible because in modern x86 processors from Intel (CVE-2022-24436) and AMD (CVE-2022-23823), dynamic frequency scaling depends on power consumption and processed data.
The colleagues from Bleeping Computer report here that AMD and Intel do not plan any fixes for this. Intel has issued the advisory Advisory INTEL-SA-00698 and AMD the Bulletin AMD-SB-1038. Microsoft has published ADV220002 (Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities).
There is a follow up article: June 2022 Patchday issues (part 2): RDP, VPN, WLAN, hotspot connection and more
Microsoft Security Update Summary (June 14, 2022)
Patchday: Windows 10-Updates (June 14, 2022)
Patchday: Windows 11/Server 2022 Updates (June 14, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (June 14, 2022)
Follina: Angriff über Word-Dokumente und ms-msdt-Protokoll (CVE-2022-30190)
Follina-Schwachstelle (CVE-2022-30190): Status, Erkenntnisse, Warnungen & Angriffe
0Patch Micro-Patch gegen Follina-Schwachstelle (CVE-2022-30190) in Windows
Follina (CVE-2022-30190): Angriffswelle ausgeblieben, aber Kampagnen auf EU/US und andere Ziele
Follina-Schwachstelle (CVE-2022-30190): Neue Erkenntnisse, neue Risiken (9.6.2022)
Cookies helps to fund this blog: Cookie settings