Microsoft Releases June 2022 Security Updates

06/14/2022 02:53 PM EDT

Original release date: June 14, 2022

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s June 2022 Security Update Summary and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases Workaround Guidance for MSDT "Follina" Vulnerability

05/31/2022 11:11 AM EDT

Original release date: May 31, 2022

Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild.

CISA urges users and administrators to review Microsoft’s Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability and apply the necessary workaround. 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Temporarily Removes CVE26925 from Known Exploited Vulnerability Catalog

05/13/2022 08:20 PM EDT

Original release date: May 13, 2022

CISA is temporarily removing CVE-2022-26925 from its Known Exploited Vulnerability Catalog due to a risk of authentication failures when the May 10, 2022 Microsoft rollup update is applied to domain controllers. After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller.

For more information see the Microsoft Knowledge Base article, KB5014754—Certificate-based authentication changes on Windows domain controllers: Key Distribution Center registry key.

Note: installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue and is still strongly encouraged. This issue only affects May 10, 2022 updates installed on servers used as domain controllers. Organizations should continue to apply updates to client Windows devices and non-domain controller Windows Servers.

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases May 2022 Security Updates

05/11/2022 11:00 AM EDT

Original release date: May 11, 2022

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s May 2022 Security Update 
Summary
 and Deployment Information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases Security Advisory for Azure Data Factory and Azure Synapse Pipelines

05/10/2022 07:00 AM EDT

Original release date: May 10, 2022

Microsoft has released a security advisory to address a remote code execution vulnerability affecting Azure Data Factory and Azure Synapse Pipelines. A remote attacker could exploit this vulnerability to take control of an affected system. 

CISA encourages users and administrators to review Microsoft Advisory ADV220001 for more information and to apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases Advisory to Address Critical Remote Code Execution Vulnerability (CVE26809)

04/13/2022 03:30 PM EDT

Original release date: April 13, 2022

Microsoft has released an advisory to address CVE-2022-26809, a critical remote code execution vulnerability in Remote Procedure Call Runtime Library. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. 

CISA encourages users and administrators to review Microsoft’s advisory and apply the recommended mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Adds 15 Known Exploited Vulnerability to Catalog

03/15/2022 02:00 PM EDT

Original release date: March 15, 2022

CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the “Date Added to Catalog” column, which will sort by descending dates.

CVE ID Vulnerability Name Due Date
CVE-2020-5135 SonicWall SonicOS Buffer Overflow Vulnerability 4/5/2022
CVE-2019-1405 Microsoft Windows UPnP Service Privilege Escalation Vulnerability 4/5/2022
CVE-2019-1322 Microsoft Windows Privilege Escalation Vulnerability 4/5/2022
CVE-2019-1315 Microsoft Windows Error Reporting Manager Privilege Escalation Vulnerability 4/5/2022
CVE-2019-1253 Microsoft Windows AppX Deployment Server Privilege Escalation Vulnerability 4/5/2022
CVE-2019-1129 Microsoft Windows AppXSVC Privilege Escalation Vulnerability 4/5/2022
CVE-2019-1069 Microsoft Task Scheduler Privilege Escalation Vulnerability 4/5/2022
CVE-2019-1064 Microsoft Windows AppXSVC Privilege Escalation Vulnerability 4/5/2022
CVE-2019-0841 Microsoft Windows AppXSVC Privilege Escalation Vulnerability 4/5/2022
CVE-2019-0543 Microsoft Windows Privilege Escalation Vulnerability 4/5/2022
CVE-2018-8120 Microsoft Win32k Privilege Escalation Vulnerability 4/5/2022
CVE-2017-0101 Microsoft Windows Transaction Manager Privilege Escalation Vulnerability 4/5/2022
 
CVE-2016-3309  Microsoft Windows Kernel Privilege Escalation Vulnerability 4/5/2022
 
CVE-2015-2546 Microsoft Win32k Memory Corruption Vulnerability 4/5/2022
 
CVE-2019-1132 Microsoft Win32k Privilege Escalation Vulnerability 4/5/2022
 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria. Note: prioritizing software updates that address known exploited vulnerabilities is one of the actions CISA encourages as part of the recent Shields Up recommendations to all stakeholders.

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Releases March 2022 Security Updates

03/08/2022 01:27 PM EST

Original release date: March 8, 2022

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Microsoft’s March 2022 Security Update Summary and Deployment Information and apply the necessary updates.
 

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Adds Four Known Exploited Vulnerabilities to Catalog

02/25/2022 02:05 PM EST

Original release date: February 25, 2022

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

CVE ID Vulnerability Name Due Date
CVE-2022-24682 Zimbra Webmail Cross-Site Scripting Vulnerability 3/11/2022
CVE-2017-8570 Microsoft Office Remote Code Execution 8/25/2022
CVE-2017-0222 Microsoft Internet Explorer Remote Code Execution 8/25/2022
CVE-2014-6352 Microsoft Windows Code Injection Vulnerability 8/25/2022

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Adds Nine Known Exploited Vulnerabilities to Catalog

02/15/2022 12:32 PM EST
Original release date: February 15, 2022

CISA has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.

CVE Number CVE Title Remediation Due Date
CVE-2022-24086 Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability 3/1/2022
CVE-2022-0609 Google Chrome Use-After-Free Vulnerability 3/1/2022
CVE-2019-0752 Microsoft Internet Explorer Type Confusion Vulnerability 8/15/2022
CVE-2018-8174 Microsoft Windows VBScript Engine Out-of-Bounds Write Vulnerability 8/15/2022
CVE-2018-20250 WinRAR Absolute Path Traversal Vulnerability 8/15/2022
CVE-2018-15982 Adobe Flash Player Use-After-Free Vulnerability 8/15/2022
CVE-2017-9841 PHPUnit Command Injection Vulnerability 8/15/2022
CVE-2014-1761 Microsoft Word Memory Corruption Vulnerability 8/15/2022
CVE-2013-3906 Microsoft Graphics Component Memory Corruption Vulnerability 8/15/2022

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the specified criteria.

This product is provided subject to this Notification and this Privacy & Use policy.