The recent Microsoft Patch released this past Tuesday, May 10th, 2022 is providing a fix for 74 security vulnerabilities.  This continues the upward trend of critical vulnerabilities being matched in regular patches, and should encourage IT Teams across the private sector to look to implement patching as soon as possible.  If you want/need help, let us know.

Critical Vulnerabilities:

• CVE-2022-26925 (WINDOWS LSA SPOOFING VULNERABILITY) - This "important" flaw allows malicious actors to "call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM." Microsoft assigned the flaw a CVSS severity score of 8.1, but noted that if it was combined with NTLM relay attacks, the severity would be bumped up to 9.8. This patch corrects the flaw by detecting and disallowing anonymous connection attempts in LSARPC.
• CVE-2022-26923 -This "critical" flaw exploits the issuance of certificates by inserting crafted data into a certificate request. This allows the attacker to obtain a certificate which is capable of authenticating a domain controller with a high-level of privilege. It essentially allows the individual with unauthorized authentication to become a domain admin within any domain running Active Directory Certificate Services. This flaw earned a CVSS score of 8.8
• CVE-2022-26937 (Windows Network File System Remote Code Execution Vulnerability) - Is a RCE vulnerability impacting the Windows Network File System (NFS) which can be exploited by a remote, unauthenticated attacker using a specially crafted call to a NFS service to achieve code execution. Microsoft assigned a 9.8 CVSSv3 score and rated this as “Exploitation More Likely” according to Microsoft’s Exploitability Index. NFS version 4.1 is not impacted by this vulnerability and Microsoft provides the recommended workaround of disabling NFS versions 2 and 3 for those users who are not able to immediately apply the patch. However the workaround does warn that it may “adversely affect your ecosystem” and is only a temporary measure until patching can be completed.

• CVE-2022-29132 and CVE-2022-29104 (Windows Print Spooler Elevation of Privilege Vulnerabilities) -Are EoP vulnerabilities in Windows Print Spooler that received a CVSSv3 score of 7.8 and were rated “Exploitation More Likely.” CVE-2022-29132 was disclosed by g0st1 and CVE-2022-29104 by Oliver Lyak from the Institut for Cyber Risk on behalf of Trend Micro Zero Day Initiative. These are just the latest in a long line of EoP vulnerabilities Microsoft has addressed in Print Spooler over the last year, several of which have been exploited in attacks. In addition to the two EoP vulnerabilities, Microsoft also patched two information disclosure vulnerabilities in Print Spooler this month: CVE-2022-29140 and CVE-2022-29114.

• CVE-2022-22713 (Windows Hyper-V Denial of Service Vulnerability) -Is a DoS vulnerability impacting Windows Hyper-V. According to Microsoft’s description, exploitation of the vulnerability requires an attacker to win a race condition giving it a high complexity rating and a CVSSv3 score of 5.6. While it’s extremely unlikely that this vulnerability will see exploitation in the wild, Microsoft does note that the vulnerability was publicly disclosed. It is credited to Joe Bialek on Microsoft Security Response Center’s Vulnerabilities and Mitigations Team.

Suggested Actions

London Security suggests working with your support team to schedule and test the new patches, and then move toward distribution and release as soon as it is shown to be reliable within your environment.  If you have additional questions or concerns, please reach out to London Security via the comments below, and we will be happy to assist.  As stated earlier, if you would like a little assistance with your patching, let us know and we can discuss options for having our engineers assist you.