Remote code execution bug fixes and more in Microsoft's September Patch Tuesday

Microsoft's 'Patch Tuesday' is important this month, with five critical vulnerabilities patched, and one vulnerability already exploited.

Microsoft’s advisory says CVE-2022-37969 has an exploit circulating in the wild.

It’s an elevation of privilege vulnerability in the Windows Common Log File System Driver, and while it’s only locally exploitable, it gives the attacker system-level privileges.

The on-premises version of Microsoft Dynamics CRM has two critical-rated vulnerabilities: CVE-2022-35805 and CVE-2022-34700.

Both of them allow an authenticated user to “run a specially crafted trusted solution package to execute arbitrary SQL commands,” Microsoft’s advisory states.

“From there the attacker could escalate and execute commands as db_owner within their Dynamics 365 database.”

Two remote code execution (RCE) bugs affect Windows Internet Key Exchange protocol extensions. 

Designated CVE-2022-34721 and CVE-2022-34722, the bugs affect any Windows machine with IPSec enabled. 

They can be exploited remotely by an unprivileged attacker, without user interaction.

The SANS Institute’s Renato Marinho wrote: “This vulnerability brings together the characteristics of a wormable vulnerability that you should give attention to and apply the patch as soon as possible.”

Windows’ IPv6 implementation is vulnerable to RCE via CVE-2022-34718, which can be attacked using a crafted IPv6 packet sent to a Windows machine with IPSec enabled.

Marinho noted that this is also wormable, but only affects systems running the IPSec service.

The full patch list includes 79 fixes.