This month, Microsoft has fixed 75 vulnerabilities, including 7 criticals and also 3 zero-days.
CVE-2022-26925 – Windows LSA Spoofing Vulnerability
This vulnerability allows an unauthenticated attacker to force a domain controller to authenticate against another server using NTLM. The threat actor would need to be in the logical network path between the target and the resource requested (e.g., Man-in-the-Middle). This vulnerability might be combined with NTLM relay attacks. If you remember PetitPotam from last year, you know what I’m talking about. Please review also KB5005413 and ADV210003 to be sure that you are already preventing NTLM relay attacks.
This patch affects some backup functionality on Windows Server 2008 SP2. If you’re running that OS, read this one carefully to ensure your backups can still be used to restore, as OpenEncryptedFileRaw will no longer work on Windows Server 2008 SP2.
CVE-2022-29972 – Insight Software: Magnitude Simba Amazon Redshift ODBC Driver
The vulnerability is specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole. The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant. If you use these services, review the blog and ADV220001 to ensure you understand the risks to your services.
CVE-2022-26937 – Windows Network File System Remote Code Execution Vulnerability
This vulnerability allows a remote, unauthenticated attacker to execute code in the context of the Network File System (NFS) service on affected systems. NFS role isn’t enabled by default on Windows Servers, but if your environment is a mix of Linux/Unix/Windows, please double check if NFS isn’t enabled in your systems. This vulnerability is not exploitable in NFSv4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSv2 and NFSv3.
To find NFS instances in your domain you can use a PowerShell script like the below one:
$Computers = Get-ADComputer -Filter 'OperatingSystem -like "*server*" -and Enabled -eq "True"' -Properties Name,OperatingSystem,OperatingSystemVersion,IPv4Address |
Sort-Object -Property OperatingSystem |
Select-Object -Property Name,OperatingSystem,OperatingSystemVersion,IPv4Address
$CSV =
Foreach ($Computer in $Computers){
$NFS =
Get-WindowsFeature *NFS* -ComputerName $Computer.Name |
Where-Object {$_.InstallState -eq "Installed"}
[pscustomobject]@{
ComputerName = $Computer.Name
NFSInfo = if($NFS){$NFS.Name -join ";"}else{"-"}
}
}
$CSV |
Export-Csv "C:\Temp\NFS_status.csv" -notypeinformation
CVE-2022-26923 – Active Directory Domain Services Elevation of Privilege Vulnerability
By including crafted data in a certificate request, an attacker can obtain a certificate that allows the attacker to authenticate to a domain controller with a high level of privilege – any domain user can become a domain admin if Active Directory Certificate Services is running on the domain. A system is vulnerable only if Active Directory Certificate Services is running on the domain, which is a quite common configuration. As attack complexity is low, it wouldn’t surprise me to see active attacks using this technique sooner rather than later.
If you are interested in more details, it’s really nice described by Oliver Lyak in this article.
CVE-2022-22012 & CVE-2022-29130 – Windows LDAP Remote Code Execution Vulnerability
This vulnerability is high rated (9.8), but marked only as Important because it is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default (10,485,760). Systems with the default value of this policy would not be vulnerable, and it isn’t common to change that value. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account.
To check MaxReceiveBuffer on your LDAP policy you can use ntdsutil.exe:
CVE-2022-21978 – Microsoft Exchange Server Elevation of Privilege Vulnerability
In this case, an attacker with elevated privileges on the Exchange server could gain the rights of a Domain Administrator. This could allow access and controls outside of the expected scope of the targeted functionality. Applicable for Exchange 2013 CU23, Exchange 2016 CU22-23, Exchange 2019 CU11-12.
Below you can see the most important CVEs released by Microsoft for May 2022 (zero-days, critical, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also several quite interesting ones concerning Remote Desktop Client, Point-to-Point tunneling, Kerberos, and more.
CVE Number | CVE Title | Severity (CVSS score) | Attack Vector | Attack Complexity | Privileges Required | User interaction | Exploit Code Maturity | Applicable for |
---|---|---|---|---|---|---|---|---|
CVE-2022-26925 | Windows LSA Spoofing Vulnerability | Important (8.1) | Network | High | None | None | Exploited | Windows 7+ Server 2008+ |
CVE-2022-29972 | Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver | Critical | Network | Low | High | None | Publicly disclosed | Self-hosted Integration Runtime |
CVE-2022-22713 | Windows Hyper-V Denial of Service Vulnerability | Important (5.6) | Local | High | Low | None | PoC | Windows 10 20H2+ Server 20H2 (Core) |
CVE-2022-26937 | Windows Network File System Remote Code Execution Vulnerability | Critical (9.8) | Network | Low | None | None | Unproven | Server 2008+ |
CVE-2022-26923 | Active Directory Domain Services Elevation of Privilege Vulnerability | Critical (8.8) | Network | Low | Low | None | Unproven | Windows 8.1+ Server 2012 R2+ |
CVE-2022-22017 | Remote Desktop Client Remote Code Execution Vulnerability | Critical (8.8) | Network | Low | None | Required | Unproven | Windows 11 Server 2022 Remote Desktop client for Windows Desktop |
CVE-2022-21972 | Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-23270 | Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability | Critical (8.1) | Network | High | None | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-26931 | Windows Kerberos Elevation of Privilege Vulnerability | Critical (7.5) | Network | High | Low | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-22012 | Windows LDAP Remote Code Execution Vulnerability | Important (9.8) | Network | Low | None | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-29130 | Windows LDAP Remote Code Execution Vulnerability | Important (9.8) | Network | Low | None | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-22013 | Windows LDAP Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-22014 | Windows LDAP Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-29128 | Windows LDAP Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-29129 | Windows LDAP Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-29131 | Windows LDAP Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 10+ Server 2019+ |
CVE-2022-29137 | Windows LDAP Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-29139 | Windows LDAP Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-29141 | Windows LDAP Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | Windows 7+ Server 2008+ |
CVE-2022-29108 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important (8.8) | Network | Low | Low | None | Unproven | SharePoint 2013 SP1, 2016, 2019, Server Subscription |
CVE-2022-22019 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 7+ Server 2008+ |
CVE-2022-30129 | Visual Studio Code Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Visual Studio Code |
CVE-2022-26927 | Windows Graphics Component Remote Code Execution Vulnerability | Important (8.8) | Network | Low | None | Required | Unproven | Windows 10+ Server 2019+ |
CVE-2022-29133 | Windows Kernel Elevation of Privilege Vulnerability | Important (8.8) | Local | Low | Low | None | Unproven | Windows 11 |
CVE-2022-21978 | Microsoft Exchange Server Elevation of Privilege Vulnerability | Important (8.2) | Local | Low | High | None | Unproven | Exchange 2013 CU23 Exchange 2016 CU22+ Exchange 2019 CU11+ |
CVE-2022-26932 | Storage Spaces Direct Elevation of Privilege Vulnerability | Important (8.2) | Local | Low | High | None | Unproven | Server 2016+ |
- Microsoft Patch Tuesday – January 2024 - January 10, 2024
- Microsoft Patch Tuesday – November 2023 - November 15, 2023
- Microsoft Patch Tuesday – October 2023 - October 11, 2023
Pingback: Microsoft Patch Tuesday – June 2022 - IT Constructors
Pingback: Microsoft Patch Tuesday – August 2022 - IT Constructors