On 10 May 2022, Microsoft released updates to address 75 vulnerabilities; eight were classified as critical, three were publicly disclosed, and one of them is being exploited. We recommend applying the latest updates as soon as possible.
Exploited vulnerability
Microsoft noted that threat actors are exploiting a publicly disclosed flaw tracked as CVE-2022-26925. This vulnerability affects Local Security Authority (LSA), a process in Microsoft Windows responsible for enforcing the security policy on the system. An unauthenticated threat actor could call a method on the LSA Remote Procedure Call (RPC) interface and force a domain controller to authenticate using Windows New Technology LAN Manager (NTLM).
Microsoft rated this flaw as “important” and assigned a CVSS risk score of 8.1 out f 10. However, when paired with an NTLM Relay Attack on Active Directory Certificate Services (AD CS), it could lead to Remote Code Execution (RCE); Microsoft assessed that the CVSS score would then increase to 9.8.
This vulnerability affects all servers, but domain controllers should be prioritized when applying security updates.
Critical vulnerabilities
The most notable of the vulnerabilities that were labelled as critical include:
- CVE-2022-26937 – an RCE in Windows Network File System (NFS), a non-default Windows component. Unauthenticated threat actors could use it to execute code in the context of the service on systems running NFS versions prior to 4.1. CVSS: 9.8
- CVE-2022-22012 and CVE-2022-29130 are both RCE flaws in Windows Lightweight Directory Access Protocol (LDAP) requiring a non-default configuration. The MaxReceiveBuffer LDAP policy has to be set to a value higher than the default value in order for it to be exploitable. CVSS: 9.8
- CVE-2022-21972 and CVE-2022-23270 are both RCE vulnerabilities in a Point-to-Point Tunneling protocol affecting Windows OS and Server. Successful exploitation requires a malicious party to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS) server, which could lead to RCE on the RAS server machine. CVSS: 8.1
- CVE-2022-26923 is a privilege escalation vulnerability in the Active Directory (AD) Domain Server. An issue with certificate issuance could be exploited to authenticate to a domain controller with a high level of privilege. A domain-authenticated user able to include crafted data in a certificate request can become a domain admin if AD Certificate Services are running on the domain. CVSS: 8.8
Publicly disclosed vulnerabilities
Two of the vulnerabilities fixed this month have public details available, which increases the likelihood of them being leveraged by threat actors.
- CVE-2022-22713 is a Denial-of-Service vulnerability in Windows Hyper-V on Windows 10 on X64-based systems and Windows Server 2019. Hyper-V (Viridian) is a technology that allows users to create virtual computer environments. Microsoft rated the flaw as “Important” and assigned a CVSS risk score of 5.6. Exploitation requires prior authentication and manipulation with an unknown input.
- On 9 May, Microsoft released an advisory on a publicly disclosed vulnerability affecting Azure Data Factory and Azure Synapse Pipelines through a third-party Open Database Connectivity (ODBC) driver. The vulnerability, tracked as CVE-2022-29972, could allow remote commands across Integration Runtimes (IR) infrastructure – a compute infrastructure that provides data integration capabilities across network environments.
- Threat actors could use the vulnerability to access and control other customers’ workspaces; this may include access to sensitive data, such as Azure service keys, API tokens, and passwords to other services. CVSS: 8.1.
- Azure Data Factory or Azure Synapse pipeline customers hosted in the Azure cloud (Azure Integration Runtime) do not need to take any action. The same is true for those who host on-premises (Self-Hosted Integration Runtime) with auto-updates turned on. However, customers using Azure Data Factory with Self-hosted IRs (SHIRs) with no auto-update need to download the latest version (5.17.8154.2) from Microsoft’s Download Center.
Recommendations
We recommend timely patching of the Microsoft vulnerabilities noted as critical and publicly disclosed in order to decrease the likelihood of exploitation.
Microsoft has reported authentication failures after installing the updates on servers used as domain controllers; testing should be conducted prior to patching. We recommend consulting the Known Issues and Microsoft Support Document referenced below prior to applying the updates.
In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.
References