Microsoft Patches 3 Zero-Days, HP Patches 16 UEFI Vulnerabilities & Critical Vulnerabilities patched in APC Smart UPS
March 10, 2022
Microsoft Patches 3 Zero-Days & 3 Critical RCE vulnerabilities
As part of the monthly security rollup updates, Microsoft has patched 3 Zero-Days, one being actively exploited in the wild, and 3 Critical-Rated Microsoft Security vulnerabilities.
In total, Microsoft has patched 71 vulnerabilities, not including 21 Microsoft Edge vulnerabilities.
The Vulnerabilities:
The Zero-Day vulnerabilities:
- CVE-2022-21990 (CVSS:3.1 8.8, High) – Remote Desktop Client (RDP) Remote Code Execution Vulnerability
- CVE-2022-24512 (CVSS:3.1 6.3, Medium) – .NET and Visual Studio Remote Code Execution Vulnerability
- CVE-2022-24459 (CVSS:3.1 7.8 / 7.0) – Windows Fax and Scan Service Elevation of Privilege Vulnerability.
The RCE Vulnerabilities:
- CVE-2022-23277 (CVSS:3.1 8.8, High) – Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2022-24501, CVE-2022-22006 (CVSS:3.1 7.8, High) – VP9 Video and HEVC Video Extensions Remote Code Execution vulnerabilities
Mitigation:
CYREBRO recommends implementing the latest available Microsoft security/monthly rollup updates in all relevant systems as soon as possible.
References: Microsoft
HP patches 16 UEFI firmware bugs allowing stealthy malware infections
HP has disclosed 16 high-impact UEFI firmware vulnerabilities that could allow threat actors to infect devices with malware that gains high privileges and remains undetectable by installed security software.
a capable threat actor could potentially exploit them to implant persistent firmware malware that survives OS updates and bypasses UEFI secure Boot, Intel Boot Guard, and virtualization security solutions.
The Vulnerabilities: The vulnerabilities are separated into three buckets based on the component/feature being exploited:
SMM Callout (Privilege Escalation)
- CVE-2021-39298: callout leading to privilege escalation (CVSS – 7.5)
- CVE-2021-23932: callout leading to privilege escalation (CVSS – 8.2)
- CVE-2021-23933: callout leading to privilege escalation (CVSS – 8.2)
SSM (System Management Module)
- CVE-2021-23924: heap buffer overflow leading to arbitrary code execution (CVSS – 8.2)
- CVE-2021-23925: memory corruption leading to arbitrary code execution (CVSS – 8.2)
- CVE-2021-23926: memory corruption leading to arbitrary code execution (CVSS – 8.2)
- CVE-2021-23927: memory corruption leading to arbitrary code execution (CVSS – 8.2)
- CVE-2021-23928: memory corruption leading to arbitrary code execution (CVSS – 8.2)
- CVE-2021-23929: memory corruption leading to arbitrary code execution (CVSS – 8.2)
- CVE-2021-23930: heap buffer overflow leading to arbitrary code execution (CVSS – 8.2)
- CVE-2021-23931: heap buffer overflow leading to arbitrary code execution (CVSS – 8.2)
- CVE-2021-23934: memory corruption leading to arbitrary code execution(CVSS – 8.2)
DXE (Driver eXecution Environment)
- CVE-2021-39297: stack buffer overflow leading to arbitrary code execution (CVSS – 7.7)
- CVE-2021-39299: stack buffer overflow leading to arbitrary code execution (CVSS – 8.2)
- CVE-2021-39300: stack overflow leading to arbitrary code execution (CVSS – 8.2)
- CVE-2021-39301: stack overflow leading to arbitrary code execution (CVSS – 7.7)
Affected Products:
These vulnerabilities affect multiple HP models, including laptops, desktop computers, PoS systems, and edge computing nodes.
Specific affected products are listed here.
Mitigation:
CYREBRO recommends that those use affected products check the HP Customer Support-Software and Driver Downloads site to obtain the latest updates.
References: HP
Critical Zero-Click Vulnerabilities in UPS Devices Patched
3 critical security vulnerabilities found in APC Smart-UPS devices. The vulnerabilities could allow remote code execution (RCE), allowing attackers to cause cyber and physical damage to critical infrastructure.
The vulnerabilities:
- CVE-2022-22805 (CVSS:3.1 9.0, Critical) – TLS buffer overflow/ memory-corruption vulnerability in packet reassembly that can lead to remote code execution
- CVE-2022-22806 (CVSS:3.1 9.0, Critical) – TLS authentication bypass, is a state confusion in the TLS handshake that leads to authentication bypass and RCE
- CVE-2022-0715 (CVSS:3.1 8.9, High) – is a design vulnerability in which the firmware updates on affected devices are not cryptographically signed in a secure manner. an attacker could craft malicious firmware and install it using various paths, including the internet, LAN, or a USB thumb drive.
Affected Products
- PC Smart-UPS devices.
Mitigation
CYREBRO recommends that those who use affected products do the following:
- Install the patches available on the Schneider Electric website
- If you are using the NMC, change the default NMC password (“apc”) and install a publicly-signed SSL certificate so that a potential attacker on your network will not be able to intercept the new password. To further limit the attack surface of your NMC, refer to the Schneider Electric Security Handbook for NMC 2 and NMC 3.
- Deploy access control lists (ACLs) in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications.
References: Armis