[German]A brief security information. Shortly before Christmas, a warning popped up about a Denial of Service vulnerability in the Windows Local Session Manager (LSM). However, this DoS vulnerability with the CVE identifier CVE-2022-44684 is quite "strange". The identifier indicates that the vulnerability was disclosed in 2022. During my research, I also saw that Microsoft had published something about this in December 2022 and January 2023 – but all of this has since been deleted. I've put together some information. And I'll add an interesting description of patched Outlook vulnerabilities that can also be combined into an attack vector.
Advertising
A note from a reader
Blog reader 1ST1 left a comment within my German blog (thanks for that), pointing to a new vulnerability in Windows. I'm including his translated comment here.
Hello Mr. Born, the next major security vulnerability in Windows seems to be looming here (link to German CERT-Bund):
"A remote, authenticated attacker can exploit a vulnerability in Microsoft Windows Local Session Manager (LSM) to perform a denial of service attack."
The reader then linked to the advisory Windows Local Session Manager (LSM) Denial of Service… on Github, which provides little to nothing. The CVSS 3.1 index is set to 6.5 (out of a maximum of 10). The complexity of the attack vector is specified as low, and the attacker only needs limited privileges. The attacker could virtually render the system unusable via the network by making requests without the Windows user having to do anything.
Many oddities
At this point, I wanted to do some research and was immediately stumped. I may be wrong, but a CVE number with 2022 at the beginning suggests that the vulnerability was already reported in 2022 and then assigned a CVE number. Nist.gov writes here on December 20, 2023 that the vulnerability is awaiting analysis. And there is a "hidden" change about the timeline.
All references I've found point to an MSRC entry on the web, but it returns a 404 error. 1ST1 suspects that Microsoft has not yet created the entry. The speculation boils down to whether something will be closed on the next (January 2024) patch day. I'll just leave it at that.
But then I became curious about the inconsistencies mentioned above. The Wayback Machine knows of exactly three snaps that were performed – but have since been deleted – between December 22, 2022 and January 2, 2023.
Advertising
On X, I then came across the above tweets from early January 2023, among others, which state that Microsoft has probably assigned CVE-2022-44684 for the December 2022 patch day. However, no details were published – which somehow "smells". In the vastness of the wild web, I found another snippet of the kind "This CVE is in CISA's Known Exploited Vulnerabilities Catalog ; Microsoft Defender SmartScreen Security Feature Bypass Vulnerability, 12/13/2022" – whereby the page today says: "This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided."
I had written something about Windows Defender SmartScreen vulnerabilities in the blog post Microsoft Security Update Summary (14. März 2023) and in the post Microsoft Security Update Summary (November 14, 2023) – but they have different CVE numbers. I also found this information on CVE.org, according to which the vulnerability CVE-2022-44684 should affect the following Windows versions:
- Windows 10 Version 20H2 (before Build 10.0.19042.2364)
- Windows 10 Version 21H1 (before Build 10.0.20348.1366)
- Windows 10 Version 22H2 (before Build 10.0.19045.2364)
- Windows Server 2022 (before Build 10.0.20348.1366)
However, I can find some entries on this in the article Patchday: Windows 10-Updates (December 13, 2022) – according to these explanations, the vulnerability should have been closed in December 2023.
The "Santa Claus" vulnerability
So let's just say: CVE-2022-44684 has been assigned since December 2022, the MSRC entry has disappeared in the meantime, and the whole thing has "disappeared into oblivion" until December 20, 2023. Well, I would call it a "Santa Claus vulnerability", appears just before Christmas and then disappears again for a whole year. Or to put it another way: just wait and see what January 2024 brings or not.
Another vulnerability?
The vulnerability CVE-2022-44684 in Windows was closed with the December 2022 security updates. But the security researchers at Akamai have worked out something else that affects Outlook. I had this topic on my agenda since "before Christmas".
Will Dormann points out a new finding in this tweet on December 19, 2023. The security researchers at Akamai have combined two vulnerabilities (CVE-2023-35384 and CVE-2023-36710) that could affect Outlook and published this two-part article about them. The vulnerabilities do affect Outlook and patches have been available since spring and August 2023.
But Akamai researcher Ben Barnea has found that the two vulnerabilities CVE-2023-35384 and CVE-2023-36710 in Microsoft Windows can be combined to create a full zero-click remote code execution (RCE) exploit against Outlook clients.
- The first vulnerability lies in the analysis of a path by the MapUrlToZone function. To exploit this vulnerability, a manipulated email must be sent to an Outlook client, which then downloads a special sound file from a server controlled by the attacker.
- The second vulnerability is in the Audio Compression Manager (ACM). This vulnerability is exploited when the downloaded audio file is played automatically and can lead to code execution on the victim computer. This vulnerability is described in detail in part 2 of this blog post.
The vulnerabilities were reported to Microsoft and fixed on the Patch Tuesdays in August 2023 and October 2023. Windows computers with the October 2023 software update installed are protected against these vulnerabilities. In addition, Outlook clients using Exchange servers patched with the March 2023 software update are protected from the abused feature.
Advertising
