Microsoft Patch Tuesday – May 2022

This month, Microsoft has fixed 75 vulnerabilities, including 7 criticals and also 3 zero-days.

CVE-2022-26925 – Windows LSA Spoofing Vulnerability

This vulnerability allows an unauthenticated attacker to force a domain controller to authenticate against another server using NTLM. The threat actor would need to be in the logical network path between the target and the resource requested (e.g., Man-in-the-Middle). This vulnerability might be combined with NTLM relay attacks. If you remember PetitPotam from last year, you know what I’m talking about. Please review also KB5005413 and ADV210003 to be sure that you are already preventing NTLM relay attacks.
This patch affects some backup functionality on Windows Server 2008 SP2. If you’re running that OS, read this one carefully to ensure your backups can still be used to restore, as OpenEncryptedFileRaw will no longer work on Windows Server 2008 SP2.

CVE-2022-29972 – Insight Software: Magnitude Simba Amazon Redshift ODBC Driver

The vulnerability is specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole. The vulnerability could have allowed an attacker to perform remote command execution across IR infrastructure not limited to a single tenant. If you use these services, review the blog and ADV220001 to ensure you understand the risks to your services.

CVE-2022-26937 – Windows Network File System Remote Code Execution Vulnerability

This vulnerability allows a remote, unauthenticated attacker to execute code in the context of the Network File System (NFS) service on affected systems. NFS role isn’t enabled by default on Windows Servers, but if your environment is a mix of Linux/Unix/Windows, please double check if NFS isn’t enabled in your systems. This vulnerability is not exploitable in NFSv4.1. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSv2 and NFSv3.
To find NFS instances in your domain you can use a PowerShell script like the below one:

$Computers = Get-ADComputer -Filter 'OperatingSystem -like "*server*" -and Enabled -eq "True"' -Properties Name,OperatingSystem,OperatingSystemVersion,IPv4Address | 
Sort-Object -Property OperatingSystem |
Select-Object -Property Name,OperatingSystem,OperatingSystemVersion,IPv4Address

$CSV = 
Foreach ($Computer in $Computers){
    $NFS =
    Get-WindowsFeature *NFS* -ComputerName $Computer.Name |
    Where-Object {$_.InstallState -eq "Installed"}
    
    [pscustomobject]@{
        ComputerName = $Computer.Name
        NFSInfo      = if($NFS){$NFS.Name  -join ";"}else{"-"}
    }
}

$CSV |
Export-Csv "C:\Temp\NFS_status.csv" -notypeinformation

CVE-2022-26923 – Active Directory Domain Services Elevation of Privilege Vulnerability

By including crafted data in a certificate request, an attacker can obtain a certificate that allows the attacker to authenticate to a domain controller with a high level of privilege – any domain user can become a domain admin if Active Directory Certificate Services is running on the domain. A system is vulnerable only if Active Directory Certificate Services is running on the domain, which is a quite common configuration. As attack complexity is low, it wouldn’t surprise me to see active attacks using this technique sooner rather than later.
If you are interested in more details, it’s really nice described by Oliver Lyak in this article.

CVE-2022-22012 & CVE-2022-29130 – Windows LDAP Remote Code Execution Vulnerability

This vulnerability is high rated (9.8), but marked only as Important because it is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default (10,485,760). Systems with the default value of this policy would not be vulnerable, and it isn’t common to change that value. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account.
To check MaxReceiveBuffer on your LDAP policy you can use ntdsutil.exe:

Check MaxReceiveBuffer using ntdsutil

CVE-2022-21978 – Microsoft Exchange Server Elevation of Privilege Vulnerability

In this case, an attacker with elevated privileges on the Exchange server could gain the rights of a Domain Administrator. This could allow access and controls outside of the expected scope of the targeted functionality. Applicable for Exchange 2013 CU23, Exchange 2016 CU22-23, Exchange 2019 CU11-12.

Below you can see the most important CVEs released by Microsoft for May 2022 (zero-days, critical, and with CVSS at least 8.0). Besides the vulnerabilities already mentioned, you can find also several quite interesting ones concerning Remote Desktop Client, Point-to-Point tunneling, Kerberos, and more.

CVE NumberCVE TitleSeverity (CVSS score)Attack VectorAttack ComplexityPrivileges RequiredUser interactionExploit Code MaturityApplicable for
CVE-2022-26925Windows LSA Spoofing VulnerabilityImportant (8.1)NetworkHighNoneNoneExploitedWindows 7+
Server 2008+
CVE-2022-29972Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC DriverCriticalNetworkLowHighNonePublicly disclosedSelf-hosted Integration Runtime
CVE-2022-22713Windows Hyper-V Denial of Service VulnerabilityImportant (5.6)LocalHighLowNonePoCWindows 10 20H2+ Server 20H2 (Core)
CVE-2022-26937Windows Network File System Remote Code Execution VulnerabilityCritical (9.8)NetworkLowNoneNoneUnprovenServer 2008+
CVE-2022-26923Active Directory Domain Services Elevation of Privilege VulnerabilityCritical (8.8)NetworkLowLowNoneUnprovenWindows 8.1+
Server 2012 R2+
CVE-2022-22017Remote Desktop Client Remote Code Execution VulnerabilityCritical (8.8)NetworkLowNoneRequiredUnprovenWindows 11
Server 2022
Remote Desktop client for Windows Desktop
CVE-2022-21972Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 7+
Server 2008+
CVE-2022-23270Point-to-Point Tunneling Protocol Remote Code Execution VulnerabilityCritical (8.1)NetworkHighNoneNoneUnprovenWindows 7+
Server 2008+
CVE-2022-26931Windows Kerberos Elevation of Privilege VulnerabilityCritical (7.5)NetworkHighLowNoneUnprovenWindows 7+
Server 2008+
CVE-2022-22012Windows LDAP Remote Code Execution VulnerabilityImportant (9.8)NetworkLowNoneNoneUnprovenWindows 7+
Server 2008+
CVE-2022-29130Windows LDAP Remote Code Execution VulnerabilityImportant (9.8)NetworkLowNoneNoneUnprovenWindows 7+
Server 2008+
CVE-2022-22013Windows LDAP Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 7+
Server 2008+
CVE-2022-22014Windows LDAP Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 7+
Server 2008+
CVE-2022-29128Windows LDAP Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 7+
Server 2008+
CVE-2022-29129Windows LDAP Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 7+
Server 2008+
CVE-2022-29131Windows LDAP Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 10+
Server 2019+
CVE-2022-29137Windows LDAP Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 7+
Server 2008+
CVE-2022-29139Windows LDAP Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 7+
Server 2008+
CVE-2022-29141Windows LDAP Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenWindows 7+
Server 2008+
CVE-2022-29108Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant (8.8)NetworkLowLowNoneUnprovenSharePoint 2013 SP1, 2016, 2019, Server Subscription
CVE-2022-22019Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 7+
Server 2008+
CVE-2022-30129Visual Studio Code Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenVisual Studio Code
CVE-2022-26927Windows Graphics Component Remote Code Execution VulnerabilityImportant (8.8)NetworkLowNoneRequiredUnprovenWindows 10+
Server 2019+
CVE-2022-29133Windows Kernel Elevation of Privilege VulnerabilityImportant (8.8)LocalLowLowNoneUnprovenWindows 11
CVE-2022-21978Microsoft Exchange Server Elevation of Privilege VulnerabilityImportant (8.2)LocalLowHighNoneUnprovenExchange 2013 CU23
Exchange 2016 CU22+
Exchange 2019 CU11+
CVE-2022-26932Storage Spaces Direct Elevation of Privilege VulnerabilityImportant (8.2)LocalLowHighNoneUnprovenServer 2016+


2 thoughts on “Microsoft Patch Tuesday – May 2022”

  1. Pingback: Microsoft Patch Tuesday – June 2022 - IT Constructors

  2. Pingback: Microsoft Patch Tuesday – August 2022 - IT Constructors

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top