IT admins have a lot of patching to do this month as Microsoft has released patches to address nearly 130 security vulnerabilities, including 10 critical bugs and three with a CVSS of 9.8.
According to Zero Day Initiative (ZDI), the vulnerability disclosure initiative of cybersecurity firm Trend Micro, this volume of patches has not been seen since the fall of 2020, but the level is somewhat similar to the first quarter of last year.
The 128 bugs patched by Microsoft this Patch Tuesday are in addition to the 17 CVEs consumed from the Chromium Open-Source Software by Microsoft Edge, bringing the total number of April bugs to 145.
Vulnerable products include RCP Runtime Library, Windows Network File System, Microsoft Defender, Exchange Sever, Print Spooler, Windows Hyper-V, DNS Server, Skype and more.
Here’s a look at some of the more alarming vulnerabilities that admins should prioritize, as outlined by ZDI:
CVE-2022-26809 – RPC Runtime Library Remote Code Execution Vulnerability
This flaw could allow a remote attacker to execute code at high privileges on an affected system without user interaction, making the bug potentially wormable, at least between machines where RPC can be reached, according to ZDI. The static port used, TCP port 135, is usually blocked at the network perimeter, but attackers could still use it for lateral movement. With a CVSS of 9.8, this is one admins should test and deploy quickly.
CVE-2022-24491/24497 – Windows Network File System Remote Code Execution Vulnerability
Both of these bugs also get a CVSS of 9.8, and Microsoft says exploitation is more likely. According to ZDI, a remote attacker on systems where the NFS role is enabled could execute code on an affected system with high privileges without user interaction.
Those factors also lead to a potentially wormable vulnerability, at least between NFS servers. Like RPC, this is blocked at the network perimeter, but Microsoft does provide guidance on how the RPC port multiplexer (port 2049) is firewall-friendly and simplifies deployment of NFS. Roll out these patches rapidly, ZDI advises.
CVE-2022-26815 – Windows DNS Server Remote Code Execution Vulnerability
Microsoft patched 18 DNS Server bugs this month, but this is the most severe of them, with a CVSS of 8.8. ZDI notes that this particular bug is similar to one patched in February, leading to the thought that this fixes what the first patch didn’t. Per ZDI, exploitation of this bug requires dynamic updates to be enabled and some elevated privileges.
CVE-2022-26904 – Windows User Profile Service Elevation of Privilege Vulnerability
According to ZDI, this bug allows an attacker to gain code execution at SYSTEM level on affected systems, but they need some level of privileges before they could escalate. These are often paired with other bugs to completely take over a system. This is also one of the publicly known vulnerabilities patched this month, and there is also a proof-of-concept out for it and a Metasploit module as well.
CVE-2022-24521 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
This is the only bug Microsoft lists as under active exploitation and was reported by the National Security Agency, so this is not to be taken lightly. It is likely paired with another RCE bug, ZDI says. It’s unclear how widespread exploitation is, but admins shouldn’t wait to find out.
Read ZDI’s blog for more information on the full list of patches, including four updates that fix 70 CVEs in Adobe products, including Acrobat and Reader, Photoshop, After Effects, and Adobe Commerce.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply