Back to Blog
Detection and Response

Patch Tuesday - August 2022

Greg Wiseman
Greg Wiseman
|Last updated on Aug 9, 2022|1 min read
LinkedInFacebookX
Patch Tuesday - August 2022

It's the week of Hacker Summer Camp in Las Vegas, and Microsoft has published fixes for 141 separate vulnerabilities in their swath of August updates. This is a new monthly record by raw CVE count, but from a patching perspective, the numbers are slightly less dire. 20 CVEs affect their Chromium-based Edge browser, and 34 affect Azure Site Recovery (up from 32 CVEs affecting that product last month). As usual, OS-level updates will address a lot of these, but note that some extra configuration is required to fully protect Exchange Server this month.

There is one 0-day being patched this month. CVE-2022-34713 is a remote code execution (RCE) vulnerability affecting the Microsoft Windows Support Diagnostic Tool (MSDT) – it carries a CVSSv3 base score of 7.8, as it requires convincing a potential victim to open a malicious file. The advisory indicates that this CVE is a variant of the “Dogwalk” vulnerability, which made news alongside Follina (CVE-2022-30190) back in May.

Publicly disclosed, but not (yet) exploited is CVE-2022-30134, an Information Disclosure vulnerability affecting Exchange Server. In this case, simply patching is not sufficient to protect against attackers being able to read targeted email messages. Administrators should enable Extended Protection in order to fully remediate this vulnerability, as well as the five other vulnerabilities affecting Exchange this month. Details about how to accomplish this are available via the Exchange Blog.

Microsoft also patched several flaws affecting Remote Access Server (RAS). The most severe of these (CVE-2022-30133 and CVE-2022-35744) are related to Windows Point-to-Point Tunneling Protocol and could allow RCE simply by sending a malicious connection request to a server. Seven CVEs affecting the Windows Secure Socket Tunneling Protocol (SSTP) on RAS were also fixed this month: six RCEs and one Denial of Service. If you have RAS in your environment but are unable to patch immediately, consider blocking traffic on port 1723 from your network.

Vulnerabilities affecting Windows Network File System (NFS) have been trending in recent months, and today sees Microsoft patching CVE-2022-34715 (RCE, CVSS 9.8) affecting NFSv4.1 on Windows Server 2022.

This is the worst of it. One last vulnerability to highlight: CVE-2022-35797 is a Security Feature Bypass in Windows Hello – Microsoft’s biometric authentication mechanism for Windows 10. Successful exploitation requires physical access to a system, but would allow an attacker to bypass a facial recognition check.

Summary charts

2022-08-vuln_count_severity.png2022-08-vuln_count_impact.png2022-08-cvssv3_hist.png2022-08-vuln_count_component.png

Summary tables

Azure vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base scoreHas FAQ?
CVE-2022-35802Azure Site Recovery Elevation of Privilege VulnerabilityNoNo8.1Yes
CVE-2022-30175Azure RTOS GUIX Studio Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2022-30176Azure RTOS GUIX Studio Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2022-34687Azure RTOS GUIX Studio Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2022-35773Azure RTOS GUIX Studio Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2022-35779Azure RTOS GUIX Studio Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2022-35806Azure RTOS GUIX Studio Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2022-35772Azure Site Recovery Remote Code Execution VulnerabilityNoNo7.2Yes
CVE-2022-35824Azure Site Recovery Remote Code Execution VulnerabilityNoNo7.2Yes
CVE-2022-33646Azure Batch Node Agent Elevation of Privilege VulnerabilityNoNo7Yes
CVE-2022-35780Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35781Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35799Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35775Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35801Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35807Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35808Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35782Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35809Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35784Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35810Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35811Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35785Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35786Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35813Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35788Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35814Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35789Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35815Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35790Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35816Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35817Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35791Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35818Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35819Azure Site Recovery Elevation of Privilege VulnerabilityNoNo6.5Yes
CVE-2022-35776Azure Site Recovery Denial of Service VulnerabilityNoNo6.2Yes
CVE-2022-34685Azure RTOS GUIX Studio Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2022-34686Azure RTOS GUIX Studio Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2022-35774Azure Site Recovery Elevation of Privilege VulnerabilityNoNo4.9Yes
CVE-2022-35800Azure Site Recovery Elevation of Privilege VulnerabilityNoNo4.9Yes
CVE-2022-35787Azure Site Recovery Elevation of Privilege VulnerabilityNoNo4.9Yes
CVE-2022-35821Azure Sphere Information Disclosure VulnerabilityNoNo4.4Yes
CVE-2022-35783Azure Site Recovery Elevation of Privilege VulnerabilityNoNo4.4Yes
CVE-2022-35812Azure Site Recovery Elevation of Privilege VulnerabilityNoNo4.4Yes

Browser vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base scoreHas FAQ?
CVE-2022-33649Microsoft Edge (Chromium-based) Security Feature Bypass VulnerabilityNoNo9.6Yes
CVE-2022-33636Microsoft Edge (Chromium-based) Remote Code Execution VulnerabilityNoNo8.3Yes
CVE-2022-35796Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityNoNo7.5Yes
CVE-2022-2624Chromium: CVE-2022-2624 Heap buffer overflow in PDFNoNoN/AYes
CVE-2022-2623Chromium: CVE-2022-2623 Use after free in OfflineNoNoN/AYes
CVE-2022-2622Chromium: CVE-2022-2622 Insufficient validation of untrusted input in Safe BrowsingNoNoN/AYes
CVE-2022-2621Chromium: CVE-2022-2621 Use after free in ExtensionsNoNoN/AYes
CVE-2022-2619Chromium: CVE-2022-2619 Insufficient validation of untrusted input in SettingsNoNoN/AYes
CVE-2022-2618Chromium: CVE-2022-2618 Insufficient validation of untrusted input in InternalsNoNoN/AYes
CVE-2022-2617Chromium: CVE-2022-2617 Use after free in Extensions APINoNoN/AYes
CVE-2022-2616Chromium: CVE-2022-2616 Inappropriate implementation in Extensions APINoNoN/AYes
CVE-2022-2615Chromium: CVE-2022-2615 Insufficient policy enforcement in CookiesNoNoN/AYes
CVE-2022-2614Chromium: CVE-2022-2614 Use after free in Sign-In FlowNoNoN/AYes
CVE-2022-2612Chromium: CVE-2022-2612 Side-channel information leakage in Keyboard inputNoNoN/AYes
CVE-2022-2611Chromium: CVE-2022-2611 Inappropriate implementation in Fullscreen APINoNoN/AYes
CVE-2022-2610Chromium: CVE-2022-2610 Insufficient policy enforcement in Background FetchNoNoN/AYes
CVE-2022-2606Chromium: CVE-2022-2606 Use after free in Managed devices APINoNoN/AYes
CVE-2022-2605Chromium: CVE-2022-2605 Out of bounds read in DawnNoNoN/AYes
CVE-2022-2604Chromium: CVE-2022-2604 Use after free in Safe BrowsingNoNoN/AYes
CVE-2022-2603Chromium: CVE-2022-2603 Use after free in OmniboxNoNoN/AYes

Developer Tools vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base scoreHas FAQ?
CVE-2022-35777Visual Studio Remote Code Execution VulnerabilityNoNo8.8Yes
CVE-2022-35825Visual Studio Remote Code Execution VulnerabilityNoNo8.8Yes
CVE-2022-35826Visual Studio Remote Code Execution VulnerabilityNoNo8.8Yes
CVE-2022-35827Visual Studio Remote Code Execution VulnerabilityNoNo8.8Yes
CVE-2022-34716.NET Spoofing VulnerabilityNoNo5.9Yes

ESU Windows vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base scoreHas FAQ?
CVE-2022-30133Windows Point-to-Point Protocol (PPP) Remote Code Execution VulnerabilityNoNo9.8Yes
CVE-2022-35744Windows Point-to-Point Protocol (PPP) Remote Code Execution VulnerabilityNoNo9.8Yes
CVE-2022-34691Active Directory Domain Services Elevation of Privilege VulnerabilityNoNo8.8Yes
CVE-2022-34714Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution VulnerabilityNoNo8.1Yes
CVE-2022-35745Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution VulnerabilityNoNo8.1Yes
CVE-2022-35752Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution VulnerabilityNoNo8.1Yes
CVE-2022-35753Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution VulnerabilityNoNo8.1Yes
CVE-2022-34702Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution VulnerabilityNoNo8.1Yes
CVE-2022-35767Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution VulnerabilityNoNo8.1Yes
CVE-2022-34706Windows Local Security Authority (LSA) Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-34707Windows Kernel Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35768Windows Kernel Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35756Windows Kerberos Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35751Windows Hyper-V Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35795Windows Error Reporting Service Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35820Windows Bluetooth Driver Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35750Win32k Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-34713Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution VulnerabilityYesYes7.8Yes
CVE-2022-35743Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2022-35760Microsoft ATA Port Driver Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-30194Windows WebBrowser Control Remote Code Execution VulnerabilityNoNo7.5Yes
CVE-2022-35769Windows Point-to-Point Protocol (PPP) Denial of Service VulnerabilityNoNo7.5No
CVE-2022-35793Windows Print Spooler Elevation of Privilege VulnerabilityNoNo7.3Yes
CVE-2022-34690Windows Fax Service Elevation of Privilege VulnerabilityNoNo7.1Yes
CVE-2022-35759Windows Local Security Authority (LSA) Denial of Service VulnerabilityNoNo6.5No
CVE-2022-35747Windows Point-to-Point Protocol (PPP) Denial of Service VulnerabilityNoNo5.9Yes
CVE-2022-35758Windows Kernel Memory Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2022-34708Windows Kernel Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2022-34701Windows Secure Socket Tunneling Protocol (SSTP) Denial of Service VulnerabilityNoNo5.3No

Exchange Server vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base scoreHas FAQ?
CVE-2022-21980Microsoft Exchange Server Elevation of Privilege VulnerabilityNoNo8Yes
CVE-2022-24516Microsoft Exchange Server Elevation of Privilege VulnerabilityNoNo8Yes
CVE-2022-24477Microsoft Exchange Server Elevation of Privilege VulnerabilityNoNo8Yes
CVE-2022-30134Microsoft Exchange Information Disclosure VulnerabilityNoYes7.6Yes
CVE-2022-34692Microsoft Exchange Information Disclosure VulnerabilityNoNo5.3Yes
CVE-2022-21979Microsoft Exchange Information Disclosure VulnerabilityNoNo4.8Yes

Microsoft Office vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base scoreHas FAQ?
CVE-2022-34717Microsoft Office Remote Code Execution VulnerabilityNoNo8.8Yes
CVE-2022-33648Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2022-35742Microsoft Outlook Denial of Service VulnerabilityNoNo7.5Yes
CVE-2022-33631Microsoft Excel Security Feature Bypass VulnerabilityNoNo7.3Yes

System Center Azure vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base scoreHas FAQ?
CVE-2022-33640System Center Operations Manager: Open Management Infrastructure (OMI) Elevation of Privilege VulnerabilityNoNo7.8Yes

Windows vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base scoreHas FAQ?
CVE-2022-34715Windows Network File System Remote Code Execution VulnerabilityNoNo9.8Yes
CVE-2022-35804SMB Client and Server Remote Code Execution VulnerabilityNoNo8.8Yes
CVE-2022-35761Windows Kernel Elevation of Privilege VulnerabilityNoNo8.4Yes
CVE-2022-35766Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution VulnerabilityNoNo8.1Yes
CVE-2022-35794Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution VulnerabilityNoNo8.1Yes
CVE-2022-34699Windows Win32k Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-33670Windows Partition Management Driver Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-34703Windows Partition Management Driver Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-34696Windows Hyper-V Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2022-35746Windows Digital Media Receiver Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35749Windows Digital Media Receiver Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-34705Windows Defender Credential Guard Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35771Windows Defender Credential Guard Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35762Storage Spaces Direct Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35763Storage Spaces Direct Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35764Storage Spaces Direct Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35765Storage Spaces Direct Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-35792Storage Spaces Direct Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2022-30144Windows Bluetooth Service Remote Code Execution VulnerabilityNoNo7.5Yes
CVE-2022-35748HTTP.sys Denial of Service VulnerabilityNoNo7.5Yes
CVE-2022-35755Windows Print Spooler Elevation of Privilege VulnerabilityNoNo7.3Yes
CVE-2022-35757Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityNoNo7.3Yes
CVE-2022-35754Unified Write Filter Elevation of Privilege VulnerabilityNoNo6.7Yes
CVE-2022-35797Windows Hello Security Feature Bypass VulnerabilityNoNo6.1Yes
CVE-2022-34709Windows Defender Credential Guard Security Feature Bypass VulnerabilityNoNo6Yes
CVE-2022-30197Windows Kernel Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2022-34710Windows Defender Credential Guard Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2022-34712Windows Defender Credential Guard Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2022-34704Windows Defender Credential Guard Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2022-34303CERT/CC: CVE-20220-34303 Crypto Pro Boot Loader BypassNoNoN/AYes
CVE-2022-34302CERT/CC: CVE-2022-34302 New Horizon Data Systems Inc Boot Loader BypassNoNoN/AYes
CVE-2022-34301CERT/CC: CVE-2022-34301 Eurosoft Boot Loader BypassNoNoN/AYes

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Subscribe

Article Tags

Author

Greg Wiseman
Greg Wiseman
Authors's Posts

Related blog posts