Why is this Intel CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in certain processor models offered by Intel. The mitigation for this vulnerability requires a firmware update, and a corresponding Windows updates enables the mitigation. This CVE is being documented in the Security Update Guide to announce that the latest builds of Windows enable the mitigation and are not vulnerable to the issue when paired with the firmware update.

Please see the following for more information:

• Microsoft Advisory 220002
• Intel-SA-00615

Information published.

Why is this Intel CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in certain processor models offered by Intel. The mitigation for this vulnerability requires a firmware update, and a corresponding Windows updates enables the mitigation. This CVE is being documented in the Security Update Guide to announce that the latest builds of Windows enable the mitigation and are not vulnerable to the issue when paired with the firmware update.

Please see the following for more information:

• Microsoft Advisory 220002
• Intel-SA-00615

Information published.

Why is this Intel CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in certain processor models offered by Intel. The mitigation for this vulnerability requires a firmware update, and a corresponding Windows updates enables the mitigation. This CVE is being documented in the Security Update Guide to announce that the latest builds of Windows enable the mitigation and are not vulnerable to the issue when paired with the firmware update.

Please see the following for more information:

• Microsoft Advisory 220002
• Intel-SA-00615

Information published.

Why is this Intel CVE included in the Security Update Guide?

The vulnerability assigned to this CVE is in certain processor models offered by Intel. The mitigation for this vulnerability requires a firmware update, and a corresponding Windows updates enables the mitigation. This CVE is being documented in the Security Update Guide to announce that the latest builds of Windows enable the mitigation and are not vulnerable to the issue when paired with the firmware update.

Please see the following for more information:

• Microsoft Advisory 220002
• Intel-SA-00615

Information published.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of the vulnerability requires that a user open a specially crafted file.

• In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
• In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.

An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

What is the difference between HEVC Video Extension and HEVC Video Extensions?

HEVC Video Extension is available to consumers and HEVC Video Extensions is used by device OEMs.

How can I check if the update is installed?

If your device manufacturer preinstalled this app, package versions 2.0.51121.0 and later contain this update.

If you purchased this app from the Microsoft Store, package versions 2.0.51122.0 and later contain this update.

You can check the package version in PowerShell:

Get-AppxPackage -Name Microsoft.HEVCVideoExtension*

Information published.

What are some of the services affected by this vulnerability?

The following table lists some of the affected services, and the changes associated with the remedy for this vulnerability:

What is OMI?

Open Management Infrastructure (OMI) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most UNIX® systems and Linux. In addition to OMI's small footprint, it also demonstrates very high performance.

How do I protect myself from this vulnerability?

Information published.

According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally.

For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

What is the difference between HEVC Video Extension and HEVC Video Extensions?

HEVC Video Extension is available to consumers and HEVC Video Extensions is used by device OEMs.

Is Windows vulnerable in the default configuration?

No. Only customers who have installed the optional HEVC or "HEVC from Device Manufacturer" media codecs from Microsoft Store may be vulnerable.

How do I get the updated Windows Media Codec?

Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update.

Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.

Why are these security updates offered to affected clients via the Microsoft Store and not Windows Update?

These updates are for optional apps/components that are offered to customers as a download via the Microsoft Store. Updates for optional store apps/components are provided via the Microsoft Store.

My server is in a disconnected environment, is it vulnerable?

HEVC is not available for offline distribution and not supported on Windows Server. Users should not have it installed in these environments. Enterprise customers using Store for Business will receive the update in the same manner as consumer Store.

Why are these updates being offered outside of Update Tuesday?

Servicing for store apps/components does not follow the monthly “Update Tuesday” cadence, but are offered whenever necessary.

Are these updates for Microsoft store apps/components offered automatically when an affected component is on the system?

Yes. However, it is possible to turn off automatic updating for store apps. In that scenario, these updates would not be installed automatically.

How can I check from PowerShell if the update is installed?

The following command will display the version of the installed package:

Get-AppxPackage -Name Microsoft.HEVCVideoExtension*

How can I check if the update is installed?

If your device manufacturer preinstalled this app, package versions 2.0.51121.0 and later contain this update.

If you purchased this app from the Microsoft Store, package versions 2.0.51122.0 and later contain this update.

You can check the package version in PowerShell:

Get-AppxPackage -Name Microsoft.HEVCVideoExtension*

Information published.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

This vulnerability could lead to a browser sandbox escape.

Why is the severity for this CVE rated as Moderate, but the CVSS score is higher than normal?

Per our severity guidelines, the amount of user interaction or preconditions required to allow this sort of exploitation downgraded the severity, specifically it says, "If a bug requires more than a click, a key press, or several preconditions, the severity will be downgraded". The CVSS scoring system doesn't allow for this type of nuance.

How could an attacker exploit this vulnerability via the Network?

An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action, typically by an enticement in an email or instant message, or by getting the user to open an attachment sent through email.

What is the version information for this release?

Information published.

Information published.

Information published.

Information published.

Information published.

How could an attacker exploit this vulnerability?

This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).

Information published.

According to the CVSS metric, Privileges Required is High (PR:H). What would lead to a successful attack?

In order for the successful attack to be initiated, the attacker would need to have read/write access to the cluster and the ability to host a hostile code without any isolation.

What is being fixed in CVE-2022-30137?

Azure Service Fabric team is releasing a patch to further strengthen the security in the Linux cluster by adapting the principle of path to least privilege. Windows cluster are NOT impacted by this vulnerability.

How to protect yourself?

Customers without automatic updates enabled should upgrade their Linux clusters to the most recent Service Fabric release. Customers whose Linux clusters are automatically updated do not need to take further action.

We have also updated our public security guidance to include details regarding the implications of hosting untrusted code or having one’s containers compromised. Please see the information here: Hosting untrusted applications in a Service Fabric cluster

Information published.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Successful exploitation of this vulnerability requires a user to place a call to trigger the vulnerability.

Information published.

Are there any special conditions necessary for this vulnerability to be exploitable?

Yes. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.

For more information, please see LDAP policies.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

How could an attacker exploit this vulnerability?

An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker's code running in the context of the SYSTEM account.

Information published.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

This vulnerability could be triggered when a windows client connects to a malicious remote share.

Information published.

Are there any special conditions necessary for this vulnerability to be exploitable?

Yes. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.

For more information, please see LDAP policies.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution?

An authenticated victim who is connected to the network must be tricked or persuaded to connect to a malicious LDAP server using their LDAP client application. After the connection is made, the server can send specially crafted replies to the client that exploit the vulnerability and permit execution of arbitrary code within the context of the user's LDAP client application.

Information published.