Skip to content

Search the site

2022's last Patch Tuesday brings Citrix, VMware, MSFT zero days

Critical Citrix, VMware, Microsoft vulnerabilities all need patching

Nearly 25,000 software security vulnerabilities have been identified so far in 2022. December’s “Patch Tuesday” added hundreds more as Adobe, Microsoft, SAP and others pushed out fixes for bugs that included zero days – with VMware also urging customers to install a trio of patches for issues including a virtual machine escape vulnerability exploited at a recent hacking challenge and a critical remotely exploitable issue in an API.

Citrix was among those pushing out urgent security updates: A critical zero day vulnerability (CVE-2022-27518) in Citrix ADC and Gateway is being exploited by state-sponsored hackers to gain access to corporate networks it said – as did the NSA in its own advisory. (Worrying, but the pre-auth RCE only affects older versions of the product and security firm Wiz estimates that fewer than 1% of cloud enterprise environments are vulnerable.)

Follow The Stack on LinkedIn

The VMware VM escape vulnerability, allocated CVE-2022-31705 and with a CVSS score of 9.3, was exploited by China’s Ant Security researcher Yuhao Jiang on systems running fully patched VMware Fusion, ESXi and Workstation products and won the top prize at Geekpwn, Tencent Keen Security Lab’s hacking contest. VMware also issued urgent fixes for a pre-authentication, remote code execution (pre-auth RCE) vulnerability in its VMware vRealize Network Insight (vRNI) product’s API, allocated CVE-2022-31702 with a CVSS score of 9.8.

december patch tuesday
Credit: Ivanti.

December Patch Tuesday highlights

Microsoft CVE-2022-41076, a Windows PowerShell RCE vulnerability, is complex to exploit but allows any user to escape the PowerShell Remoting Session Configuration, run unapproved commands on an affected system. It's one to prioritise.

As the ZDI notes: “Threat actors often try to ‘live off the land’ after an initial breach... use tools already on a system to maintain access and move throughout a network. PowerShell is one such tool, so any bug that bypasses restrictions is likely to be abused by intruders. Definitely don’t ignore this patch.”

Another Microsoft vulnerability has been seen exploited in the wild. CVE-2022-44698 has been discussed in security circles since October and was reported by Will Dorfmann. It lets attackers create a file that bypasses security features such as Protected View in Microsoft Office. With phishing attacks that rely on people opening attachments rife, such protections are vital in preventing malware and other attacks and this needs prioritising.

In total Microsoft issued 52 patches, six critical. Adobe fixed 37 CVEs in Illustrator, Experience Manager, and Adobe Campaign Classic; none have been reported as exploited. The first Patch Tuesday of 2023 will be on January 10. Happy patching and wishing all of our readers bug-free reboots where they're necessary.

See also: Lessons from the Pentagon's Zero Trust model