Nearly half the vulnerabilities detailed allowed for remote code execution, while a fifth allowed escalation of privilege.
Claire Tills, senior research engineer at security firm Tenable, said: "Microsoft addressed CVE-2022-30136, a remote code execution vulnerability in the network file system that can be exploited by an unauthenticated attacker, assigning a CVSSv3 score of 9.8.
"This vulnerability does not affect versions 2 and 3 of Network File System (NFS). In terms of mitigation, Microsoft has proposed disabling NFS version 4.1. However, this may have adverse effects on systems, particularly for organisations that have not applied the May 2022 security update for CVE-2022-26937. Whenever possible, organisations are strongly encouraged to update with the most recent patches."
|
|
"There was significant speculation leading up to Patch Tuesday about whether Microsoft would be releasing patches given Microsoft’s initial dismissal of the flaw and its widespread exploitation in the weeks since its public disclosure," she pointed out.
Microsoft need to get much better at handling Azure vulnerabilities. It’s unacceptably poor in terms of transparency for customers.
— Kevin Beaumont (@GossiTheDog) June 14, 2022
There needs to be an independent database of cloud vulns, too - like CVE for providers. https://t.co/3cXCUet8UK pic.twitter.com/hVQ1YPdFqq
"On the subject of Microsoft’s troubling pattern of dismissing legitimate security concerns, Tenable researcher Jimi Sebree discovered and disclosed two vulnerabilities in Microsoft's Azure Synapse Analytics, one of which has been patched and one which has not.
"Neither of these vulnerabilities were assigned CVE numbers or documented in Microsoft’s security update guide for June."
Mike Walters, cyber security executive and co-founder of remote monitoring and management software provider Action1, added: "The most critical vulnerability is CVE-2022-30136. This affects the Network File System (NFS) and allows remote arbitrary code execution with a specially crafted call without administrative privileges or user interaction.
"Microsoft believes that an exploit for this vulnerability has been developed, although this information has not been confirmed. This bugfix complements May's CVE-2022-26937, which covers NFSV2.0 and 3.0 vulnerabilities.
"A month ago, Microsoft said that NFSV4.1 was not affected. However, the recently released patch suggests that is not the case, because CVE-2022-30136 addresses the NFSV4.1 vulnerability fix. Notably, this June patch should only be applied after the May one has already been installed."
He said Windows Lightweight Directory Access Protocol and Windows Hyper-V had released patches to fix two critical vulnerabilities, CVE-2022-30139 and CVE-2022-26937.
"It is recommended that IT teams install these updates as soon as possible after testing them properly. If it is impossible to update systems quickly, then removing any vulnerable systems from public access is advisable until such time as the patching is possible," Walters added.
