Microsoft has released fixes for 74 vulnerabilities in a myriad of IT products this Patch Tuesday, including three zero-day vulnerabilities and a Windows LSA spoofing bug under active attack and several critical remote code execution flaws.
The 74 bugs fixed by Microsoft in today’s Patch Tuesday release are in Windows, .NET and Visual Studio, Edge, Exchange Server, Office, Hyper-V, Remote Desktop Client, Active Directory and more.
According to Zero Day Initiative (ZDI), the vulnerability research arm of cybersecurity firm Trend Micro, seven are rated critical, 66 are rated important and one is rated low in severity.
Compared to last month’s 128 vulnerabilities, May is a relatively easier month for IT admins in terms of patching Microsoft systems, but there are still several bugs that admins should prioritize patching, according to ZDI and other cybersecurity firms.
CVE-2022-26925 – Windows LSA Spoofing Vulnerability
According to ZDI, this bug could allow an unauthenticated attacker to force a domain controller to authenticate against another server using NTLM, but the attacker would need to be in the logical network path between the target and the resource requested. Despite that added complexity, someone appears to have figured it out since Microsoft says it is under active exploitation. The company gives this a CVSS score of 9.8 when combined with NTLM relay attacks. ZDI notes that the patch could impact some backup functionality on Server 2008 SP2, so admins should move carefully to ensure backups can still be used. ZDI suggests admins review review KB5005413 and Advisory ADV210003 to learn more about mitigating such attacks.
CVE-2022-26923 – Active Directory Domain Services Elevation of Privilege Vulnerability
According to ZDI, this specific bug targets a common deployment of Active Directory and is relatively easy to exploit, making this a prime target for threat actors now that its published. Exploitation happens when an attacker includes specially crafted data in a certificate requests to obtain a certificate that allows them to authenticate to a domain controller with a high level of privilege. This allows any domain authenticated user to become a domain admin if Active Directory Certificate Services are running on the domain.
CVE-2022-26937 – Windows Network File System Remote Code Execution Vulnerability
ZDI suggests admins test and deploy a patch for this bug quickly, as the CVSS 9.8-rated flaw could allow remote, unauthenticated users to execute code in the context of the Network File System (NFS) service on affected systems. While not on by default, NFS is common in environments where Windows systems re mixed with other operating systems, such as Linux or Unix. This doesn’t impact NFSv4, so admins should upgrade from older versions.
CVE-2022-29972 – Insight Software: Magnitude Simba Amazon Redshift ODBC Driver
This bug exists in the third-party ODBC data connector used to connect to Amazon Redshift, in Integration Runtime in Azure Synapse Pipelines, and Azure Data Factory, ZDI notes, adding that it could allow an attacker to execute remote commands across Integration Runtimes. Microsoft released an update and blog earlier this week, so admins should review those if they use these services. Microsoft says it isn’t aware of any exploitation of the bug.
Other critical-rated bugs include remote code execution flaws in the Point-to-Point Tunneling Protocol and Remote Desktop Client. The other publicly known bug is in a denial of service flaw in Windows Hyper-V, but is only given a CVSS of 5.6
Read ZDI’s blog for more information on Microsoft’s patches, as well as 18 bugs fixed by Adobe.
Leave a Reply