March 9, 2022
It just so happens that from a CVE perspective, March is kind of a dull month… not that anyone would complain given recent history. Hopefully this will give everyone a bit of reprieve to catch up on the behemoth releases from the past few months.
Included in this pack are 3 zero-days (also known as previously-disclosed prior to this release), and 3 critical vulnerabilities The zero-days include CVE-2022-24512 which affects the .NET framework and Visual Studio, and CVE-2022-21990, for Remote Desktop Client. These are both RCE (Remote Code Execution) vulnerabilities.The other zero-day, CVE-2022-24459, is privilege escalation vulnerability in the Windows Fax and Scan service that requires the attacker to have local access.
Of the critical vulnerabilities this month, the one really worth paying attention to is CVE-2022-23277 an RCE that affects Microsoft exchange server. Thankfully, this is another local (or post-authentication) vulnerability, so threats would have to be extremely targeted, possibly requiring an insider to instigate the attack.
The only real story this month is the number of CVEs released for Microsoft’s Edge browser… an eyebrow-raising 23 bugs. These all affect the underlying Chromium codebase for Edge, and none of them were rated as critical.
As always, Balbix can identify all affected assets within 1 hour of release. There are no scans to run. Balbix customers simply search for the CVE name in their Balbix dashboard to view the list of affected assets. Users can also use the filtered search functionality to search for the CVE by site, subnet, location, or other distinguishing factors.