Microsoft Patch Tuesday – September 2022

Patch Tuesday is once again upon us. The September 2022 edition of Patch Tuesday brings us 63 fixes, with 5 rated as critical. We’ve listed the most important changes below.

⚡ TL;DR | Go Straight to the September 2022 Patch Tuesday Audit Report

Windows TCP/IP Remote Code Execution Vulnerability

Of the 5 critical vulnerabilities fixed in this Patch Tuesday, only one is more likely to be exploited. CVE-2022-34718 is a remote code execution vulnerability that received a CVSS score of 9.8. When exploited it would allow an unauthenticated attacker to send a specially crafted IPv6 packet to a Windows node where IPSec is enabled. This in turn could enable a remote code execution exploitation on that machine. However, this also means that only systems with the IPSec service running would be vulnerable to this attack.

Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability

Two of the critical vulnerabilities CVE-2022-34721 and CVE-2022-34722 are remote code execution vulnerabilities in the Windows Internet Key Exchange (IKE) protocol. More specifically, IKEv1. IKEv2 is not impacted. All Windows Servers are affected though because they accept both V1 and V2 packets. While these vulnerabilities are less likely to be exploited, they still received a CVSS score of 9.8 and should be addressed as soon as possible.

Just like with the vulnerability above, these vulnerabilities could allow an unauthenticated attacker to send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation.

Microsoft Dynamics CRM (on-premises) Remote Code Execution Vulnerability

The final two critical vulnerabilities that were addressed in this Patch Tuesday are a set of remote code execution vulnerabilities that affect the on-premises version of the Microsoft Dynamics CRM. CVE-2022-34700 and CVE-2022-35805 both received a CVSS score of 8.8, but they are once again less likely to be exploited.

These vulnerabilities would allow an authenticated user to run a specially crafted trusted solution package to execute arbitrary SQL commands. From there they would be able to escalate and execute commands as db_owner within their Dynamics 365 database. The fact that the user must be authenticated makes it harder to exploit these vulnerabilities.

Run the Patch Tuesday September 2022 Audit Report

To help manage your update progress, we’ve created the Patch Tuesday Audit Report that checks if the assets in your network are on the latest patch updates. The report has been color-coded to see which machines are up-to-date and which ones still need to be updated. As always, system administrators are urged to update their environment as soon as possible to ensure all endpoints are secured.

The Lansweeper Patch Tuesday report is automatically added to Lansweeper Cloud sites. Lansweeper Cloud is included in all our licenses without any additional cost and allows you to federate all your installations into one single view so all you need to do is look at one report, automatically added every patch Tuesday!

Patch Tuesday September 2022 CVE Codes & Titles

Receive the Latest Patch Tuesday Report for FREE Every Month

"*" indicates required fields

Email*

Hidden

EmailType

Hidden

IM – Conv Page – Processing

Hidden

IM – UTM_Campaign FC – Processing

Hidden

IM – UTM_Campaign LC – Processing

Hidden

IM – UTM_Content FC – Processing

Hidden

IM – UTM_Content LC – Processing

Hidden

IM – UTM_Medium FC – Processing

Hidden

IM – UTM_Medium LC – Processing

Hidden

IM – UTM_Source FC – Processing

Hidden

IM – UTM_Source LC – Processing

Hidden

IM – UTM_Term FC – Processing

Hidden

IM – UTM_Term LC – Processing

Hidden

gclid

Hidden

msclkid

Phone

This field is for validation purposes and should be left unchanged.

Count Me In Submit