This month, Microsoft has fixed 119 vulnerabilities, including 10 criticals and also 2 zero-days.
CVE-2022-24521 and CVE-2022-26904 are “only” privilege escalation vulnerabilities but combined with other bugs they might allow an attacker to code execution at the SYSTEM level. Due to exploitation of the first one is already detected and the second one is rated as “exploitation more likely”, please consider patching ASAP.
CVE-2022-26809 is marked as “exploitation more likely” and could allow a remote attacker to execute code with high privileges on an affected system. No user interaction is required, so it might be used between machines where RPC can be reached. Please check if TCP/135 is blocked at the network perimeter (typical scenario) to eliminate risk from outside, but definitely put a high priority on that one.
CVE-2022-24491 and CVE-2022-24497 occur only on systems with the NFS role enabled. Once again, a remote attacker could execute code with high privileges and without user interaction. Very similar situation to the above one – please check if ports are blocked at the network perimeter, especially port 2049. Also, high priority!
Below you can see the most important CVEs released by Microsoft for April 2022 (zero-days, critical, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also several quite interesting ones concerning SMB, LDAP, DNS, Kerberos, or RDP.
CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
---|---|---|---|---|---|---|---|---|
CVE-2022-24521 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important (7.8) | Local | Low | Low | None | Functional/Exploited | Windows 7+ Server 2008+ |
CVE-2022-26904 | Windows User Profile Service Elevation of Privilege Vulnerability | Important (7.0) | Local | High | Low | None | Functional | Windows 7+ Server 2008+ |
CVE-2022-26809 | RPC Runtime Library Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-24491 | Windows Network File System Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 8.1+ Server 2012+ |
CVE-2022-24497 | Windows Network File System Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Windows 8.1+ Server 2012+ |
CVE-2022-24541 | Windows Server Service Remote Code Execution Vulnerability | Critical (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-24500 | Windows SMB Remote Code Execution Vulnerability | Critical (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-23259 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | Critical (8.8) | Network | Low | Low | None | Unproven | Dynamics 365 (on-premises) 9.0 – 9.1 |
CVE-2022-23257 | Windows Hyper-V Remote Code Execution Vulnerability | Critical (8.6) | Local | Low | Low | None | Unproven | Windows 10 20H2+ Server 20H2+ |
CVE-2022-22008 | Windows Hyper-V Remote Code Execution Vulnerability | Critical (7.7) | Local | High | Low | None | Unproven | Windows 8.1+ Server 2012 R2+ |
CVE-2022-24537 | Windows Hyper-V Remote Code Execution Vulnerability | Critical (7.7) | Local | High | Low | None | Unproven | Windows 10+ Server 2016+ |
CVE-2022-26919 | Windows LDAP Remote Code Execution Vulnerability | Critical (8.1) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-24492 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-24528 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-26815 | Windows DNS Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | High | None | Unproven | Server 2008+ |
CVE-2022-24487 | Windows Local Security Authority (LSA) Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Server 2016+ |
CVE-2022-24490 | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | Important (8.1) | Network | Low | Low | None | Unproven | Server 2016+ |
CVE-2022-24539 | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | Important (8.1) | Network | Low | Low | None | Unproven | Server 2016+ |
CVE-2022-24545 | Windows Kerberos Remote Code Execution Vulnerability | Important (8.1) | Network | High | None | None | Unproven | Windows 10+ Server 2016+ |
CVE-2022-24533 | Remote Desktop Protocol Remote Code Execution Vulnerability | Important (8.0) | Network | Low | Low | Required | Unproven | Windows 7+ Server 2012+ |
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023