--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Multiple Critical Vulnerabilities in Microsoft Products' version: '1.0' number: '2022-060' original_date: 'August 9, 2022' date: 'August 10, 2022' --- _History:_ * _10/08/2022 --- v1.0 -- Initial publication_ # Summary On August 9, Microsoft released its August 2022 Patch Tuesday advisory including fixes for 2 zero-day vulnerabilities identified `CVE-2022-34713` and `CVE-2022-30134`, which affect respectively Microsoft Windows Support Diagnostic Tool (MSDT) and Microsoft Exchange Server [1]. The patch also contains fixes for 17 critical vulnerabilities affecting Active Directory Domain Services, Azure Batch Node Agent, Microsoft Exchange Server, Remote Access Service Point-to-Point Tunneling Protocol, Windows Hyper-V and Windows Kernel (SMB Client and Server), Windows Point-to-Point Tunneling Protocol and Windows Secure Socket Tunneling Protocol (SSTP) [2]. It is highly recommended patching affected devices. # Technical Details ## CVE-2022-34713 - MSDT Remote Code Execution Vulnerability This vulnerability, with a CVSS score of 7.8 out of 10, affects the Microsoft Windows Support Diagnostic Tool and could allow an attacker to execute some code on a device relying on the user to open a specially crafted file, such as an email attachment or a file downloaded from a website, to trigger the exploit. ## CVE-2022-30134 - Microsoft Exchange Information Disclosure Vulnerability This vulnerability, with a CVSS score of 7.6, affects Microsoft Exchange Server and could allow an attacker to read targeted email messages. ## Other Critical Vulnerabilities 17 other **critical** vulnerabilities have also been patched. Even if they are not yet exploited, they are likely to be targeted soon based on reverse-engineering of the patches available. # Affected Products Global list of affected products by all the vulnerabilities in the August advisory - .NET 6.0 - .NET Core 3.1 - Azure Batch - Azure Real Time Operating System GUIX Studio - Azure Site Recovery VMWare to Azure - Azure Sphere - Microsoft 365 Apps for Enterprise - Microsoft Excel - Microsoft Exchange Server - Microsoft Office - Microsoft Outlook - Microsoft Visual Studio - Open Management Infrastructure - System Center Operations Manager (SCOM) - Windows 10 - Windows 11 - Windows 7 SP1 - Windows 8.1 - Windows RT 8.1 - Windows Server 2008 - Windows Server 2012 - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 - Windows Server, version 20H2 (Server Core Installation) # Recommendations Microsoft and CERT-EU strongly recommend installing security updates as soon as possible. # References [1] [2]