Akamai’s Perspective on August Patch Tuesday
by Akamai Security Research
Microsoft’s Patch Tuesday for August is released, and we at Akamai Security Research set out to look at the more intriguing vulnerabilities that were patched. In this report, we’ll try to assess how critical the vulnerabilities really are, how commonplace the affected applications and services are, and provide our own perspective on the bugs that were fixed. Be on the lookout for these insights on the Wednesday after every Patch Tuesday.
This is an updating report and we’ll add more information to it as our research progresses — stay tuned!
In this report, we’re focusing on four areas where bugs were patched:
Windows Point-to-Point Protocol (PPP)
Windows Security Socket Tunneling Protocol (SSTP)
Network File System (NFS)
Active Directory Certificate Services (AD CS)
Microsoft Exchange Server
For each affected service that we’ll cover, we’ll try to offer recommendations for monitoring and mitigation for when patching isn’t possible — either by quoting Microsoft’s recommendations or by offering workarounds of our own, from our experience. Of course, no mitigation is as good as actually patching, so make sure to patch your systems whenever possible and keep them up to date.
Remote access server vulnerabilities
This Patch Tuesday introduced critical vulnerabilities in two core protocols in the remote access server (RAS): the Point-to-Point Protocol and Secure Socket Tunneling Protocol .
Remote access is a Windows Server role that allows remote clients to connect to the LAN, similar to a VPN. The server role needs to be actively added.
Windows Point-to-Point Protocol
The Point-to-Point Protocol (PPP) is integrated in the RAS, and provides framing and authentication capabilities for remote connections.
Four vulnerabilities were found in PPP — two critical remote code execution vulnerabilities with a CVSS score of 9.8, and two denial of service vulnerabilities (scored 7.5 and 5.9). According to Microsoft’s advisories, a remote unauthenticated attacker could gain code execution on a RAS server by sending a crafted connection request.
The exploitation of all four vulnerabilities is said to be less likely, suggesting that triggering the vulnerabilities or taking advantage of them might be difficult, or at least not trivial.
How prominent is PPP? Of all the Windows Servers we queried in our monitored environments, 40% of the servers receive connections over port 1723, which is the standard port for the Point-to-Point tunneling protocol.
Where is the bug? We suspect that the vulnerabilities lie either in the rasppp.dll (remote access PPP library) or raspptp.sys (the driver that implements the Point-to-Point tunneling protocol).
General recommendations
Microsoft points out that the vulnerability can only be exploited by communicating over port 1723. So besides patching, exploitation can be prevented by segmenting RAS servers in the network and blocking connections on this port. However, it should be noted that blocking the port may disrupt regular communication.
CVE analysis
| CVE Number | Effect | Required Access | Mitigation Besides Patching |
|---|---|---|---|
| CVE-2022-35744 | Remote code execution | Network | Disabling port 1723 |
| CVE-2022-30133 | |||
| CVE-2022-35769 | Denial of service | - | |
| CVE-2022-35747 |
Windows Secure Socket Tunneling Protocol
According to Microsoft Developer Network, Windows Secure Socket Tunneling Protocol (SSTP) is a mechanism to encapsulate PPP traffic over HTTPS. Essentially, this protocol enables users to access a private network by using HTTPS.
Six remote code execution vulnerabilities with a CVSS score of 8.1 were patched. Another two remote code execution bugs, also with scores of 8.1, were patched — our guess is that they would be related to the SstpSvc service. One denial-of-service vulnerability with a score of 5.3 was patched.
Where is the bug? The Windows service that provides support for the SSTP is SstpSvc, which eventually runs sstpsvc.dll.
General recommendations
Except for CVE-2022-34701, all vulnerabilities involve a race condition. Since attacks involving race conditions usually require multiple attempts (in a short time frame), it is possible that network traffic will increase, so monitoring traffic peak rates and spikes might uncover attack attempts.
CVE analysis
| CVE Number | Effect | Required Access | Mitigation Besides Patching |
|---|---|---|---|
| CVE-2022-35766 | An unauthenticated attacker could achieve remote code execution on an RAS server machine | Network | |
| CVE-2022-34702 | |||
| CVE-2022-35745 | |||
| CVE-2022-35767 | |||
| CVE-2022-34714 | |||
| CVE-2022-35794 | |||
| CVE-2022-35769 | An unauthenticated attacker could achieve remote code execution — probably through the SstpSvc service | - | |
| CVE-2022-35747 | |||
| CVE-2022-34701 | Denial of service |
Network File System
Network File System (NFS) is a network protocol originally developed by Sun Microsystems to allow remote file access over the network. An implementation of it exists in Microsoft Windows, and the NFS role can be added to a server to turn it into an NFS server.
Scope analysis
The NFS feature needs to be added to a Window server and client before it can be used. It is included in the “File and Storage Services” server role in Windows Server.
NFS commonly uses ports 111 (Sun RPC’s EpMapper port — early versions of NFS are implemented over Sun RPC) and 2049. Looking at various data centers, we found that only 0.1% could potentially be NFSv4 servers, and only about half are running Windows.
We also believe that this month’s CVE was introduced by one of the latest security updates, since Microsoft’s mitigation (disabling NFS v4.1) warns that it should be done only on fully patched servers, which implies that servers not fully patched might be safe.
General recommendations
Normally, we would recommend seeing if it’s possible to upgrade your NFS server to use NFS v4.1, as it is the most secure version. Most of the vulnerabilities revolving NFS in this PT are for earlier versions of the protocol. This time, however, the vulnerability affects only NFS v4, so we can’t recommend an upgrade.
Instead, we recommend applying segmentation around NFS servers. You should check and see if you can limit (ringfence) the NFS clients to a smaller group of servers/workstations, and also limit the outbound traffic from the NFS server. As it is a server, there should be few reasons for it to initiate connections. Segmentation could limit the impact a successful exploitation provides.
CVE analysis
CVE Number |
Effect |
Required Access |
Mitigation Besides Patching |
Attacker can get remote code execution using unauthenticated calls to NFS v4 |
Network |
— Disabling NFSv4 — Rolling back security updates (while keeping NFSv4 since most of the previous CVEs were for earlier versions) |
Active Directory Certificate Services
Active Directory Domain Services (AD DS) is one of the core components of Active Directory. Servers running this role are the domain controllers of the Windows domain.
Scope analysis
There is at least one Windows Server running AD DS in every Windows domain network — the domain controller.
This month’s vulnerability is actually in the Active Directory Certificate Services (AD CS), which isn’t available by default; it requires an additional role installation. In our monitored Windows Servers in customer environments, we can see that 66% of our monitored networks have a server with the AD CS role.
The AD CS is known to be abused by attackers, with the most notorious recent example being PetitPotam, where it was used in the attack flow as the target for the NTLM relay (using an excellent research by SpecterOps) .
General recommendations
Since the AD CS service should be installed on only a selected number of servers (or even a single server) in your network, which play a critical role in your domain architecture, we strongly recommend you patch those servers as soon as possible.
If not possible, then May’s patch introduced additional Windows Event Logs (following other similar CVEs) that you should monitor in case of irregular activities. Please refer to KB5014754 for more information.
CVE analysis
CVE Number |
Effect |
Required Access |
Mitigation Besides Patching |
Attacker can get SYSTEM privileges by modifying certain user attributes followed by a request to AD CS |
Network |
Disabling AD CS |
Microsoft Exchange Server
Microsoft Exchange Server is the mail server developed by Microsoft. This month there were six CVEs, three critical Elevation of Privilege vulnerabilities, and three important Information Disclosure vulnerabilities patched. Those vulnerabilities affect on-premises installations of Exchange, not Office 365 instances.
Scope analysis
With the introduction of Office 365, more and more organizations are ditching on-premises installation in favor of SaaS solutions. Evidently, in our monitored networks, only 40% have an on-premises Exchange server.
General recommendations
The Information Disclosure vulnerabilities clearly state that they allow attackers to read targeted mails, but Microsoft doesn’t explicitly state the effect of the Elevation of Privilege vulnerabilities. We believe they might allow attackers to send emails in the name of other users. Since they are also categorized as “Exploitation More Likely,” we highly recommend patching your Exchange servers, and enabling Extended Protection. For more information, check out Microsoft’s Exchange Blog.
In addition, some of those vulnerabilities require the Exchange server to access a malicious server in the attacker’s control. If you can map your on-premises Exchange server’s required neighbors (external mail servers, databases, etc) and create ringfencing rules for them, this could also be an effective mitigation.
CVE analysis
CVE Number |
Effect |
Required Access |
Mitigation Besides Patching |
A successful attack may allow an attacker to read and send emails |
Network |
— Ringfencing outbound connections from Exchange servers |
|
Network, access to malicious server |
|||
An authenticated attacker could read and send emails |
Network, authentication |
||
Reading targeted emails |
Network |
||
Network, access to malicious server |
This summary provides an overview of our current understanding and recommendations given the information available. Our review is ongoing and any information herein is subject to change.
