June has seen the release of multiple security updates, including key patches for Google’s Chrome and Android, among others, as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also featured some key business-focused patches for Citrix, SAP and Cisco products.
Here’s what you need to know about the major patches released in the past month.
microsoft
Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 bugs in the tech giant’s products. This patch Tuesday was especially significant because it addressed an already exploited remote code execution (RCE) issue in Windows called Follina, which Microsoft has been aware of since at least May.
Maintained as CVE-2022-30190, Follina, which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can be run without opening a document, has already been used by multiple criminal groups and state-sponsored attackers.
Three of the vulnerabilities addressed in Patch Tuesday that affect Windows Server are RCE bugs and are rated as critical. However, the patches seem to break some VPN and RDP connections, so be careful.
Google Chrome
Google Chrome updates keep coming thick and fast. That’s okay, because the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.
Tracked as CVE-2022-2156, the biggest bug is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or data corruption . Worse, when the flaw is chained to other vulnerabilities, it can lead to a full-blown system compromise.
Other issues addressed in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.
google-android
Of the multiple Android vulnerabilities that Google patched in June, the most serious is a critical security vulnerability in the system component that could allow remote code execution without the need for additional execute permissions, Google said in its Android security bulletin.
Google has also released updates for its Pixel devices to fix issues in the Android Framework, Media Framework, and System Components.
Samsung users seem to have gotten lucky with Android updates lately, with the device maker rolling out its patches very quickly. The June security update is no different, reaching straight for the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series and the Galaxy Z Fold 2.
Cisco
Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow an attacker to bypass remote authentication and log into an affected device’s web management interface.
The issue, maintained as CVE-2022-20798, could be exploited if an attacker enters something specific on the affected device’s login page, which would allow access to the web-based administration interface, Cisco said.
Citrix
Citrix has issued a warning urging users to patch some major vulnerabilities that could allow attackers to reset administrator passwords. The vulnerabilities in Citrix Application Delivery Management could lead to system corruption by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this could be that the administrator password is reset on the next device reboot, allowing an attacker with ssh access to connect to the default administrator credentials after the device reboots,” the company wrote.
Citrix recommends segmenting traffic to the Citrix ADM’s IP address from standard network traffic. This reduces the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of the Citrix ADM server and Citrix ADM agent “as soon as possible.”
JUICE
Software company SAP has released 12 security patches as part of the June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the Google Chromium browser controller used by the company’s enterprise customers. Details of this vulnerability are not available, but it has a severity rating of 10, so the patch should be applied immediately.
Another important fix is an issue in the SAProuter proxy in NetWeaver and ABAP Platform that could allow an attacker to run SAProuter administrative commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.
Splunk Enterprise
Splunk has released a number of out-of-band patches for its Enterprise product that address issues, including a critical vulnerability that could lead to arbitrary code execution.
Labeled as CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and run code on other endpoints connected to the deployment server. Fortunately, there is no evidence that the vulnerability has been used in real attacks.
Ninja Forms WordPress Plugin
Ninja Forms, a WordPress plugin with over a million active installs, has fixed a serious problem likely used by attackers in the wild. “We discovered a code injection vulnerability that allowed unauthenticated attackers to call a limited number of methods in several Ninja Forms classes, including one that unserialized user-supplied content, resulting in in Object Injection”, security analysts at the WordPress Wordfence Threat, the intelligence team reports in an update.
This could allow attackers to run arbitrary code or delete arbitrary files on sites where a separate POP chain existed, researchers said.
The bug has been fully fixed in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4 and 3.6.11. WordPress appears to have performed a forced auto-update for the plugin, so your site may already be using one of the patched versions.
Atlassian
Australian software company Atlassian has released a patch to fix a zero-day flaw that is already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor Internet-exposed servers.
GitLab
GitLab has released patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain key security fixes for eight vulnerabilities, one of which could allow account takeover.
With this in mind, the company strongly recommends that all GitLab installations be upgraded to the latest version as soon as possible. GitLab.com already uses the patched version.