CVE-2022-33637: Microsoft Defender for Endpoint Tampering Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

Category

Tampering

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Jul

Released

2022-07-12

Last Updated

2025-07-08

EPSS Score

0.42% (percentile: 62.1%)

FAQ

What is the nature of this vulnerability? This is a client-side code vulnerability consisting of the usage of uninitialized buffer in the buffer pool by the MDE sensor on Linux systems. This affects the IP field, causing any remote connection, including failed connections, to be considered as ‘Successful remote logon’. This, in turn, triggers a false-positive alert. Which platforms are affected by this vulnerability? All Linux machines are affected. The impact is more severe on servers which are under heavy network/login load. How was the vulnerability addressed? The fix enforced full initialization for each buffer before use. What version of the product contains the update that addressed the vulnerability? The fix is included in defender version 101.68.80. Customers are advised to ensure their Defender client is the latest version.

Affected Products (1)

System Center

• Microsoft Defender for Endpoint for Linux

Security Updates (1)

• Release Notes

Acknowledgments

James Sharpe with <a href="https://www.zenotech.com/">Zenotech Ltd</a>

Revision History

• 2022-07-12: Information published.
• 2022-07-25: Added FAQ information. This is an informational change only.
• 2025-07-08: Updated links to security updates. This is an informational change only.