Microsoft fixes three zero-days on May Patch Tuesday

Three zero-days, including one that is being actively exploited and must be addressed immediately, are among more than 70 vulnerabilities fixed by Microsoft in its May 2022 Patch Tuesday drop.

Tracked as CVE-2022-26925, the exploited zero-day is a Windows Local Security Authority (LSA) spoofing vulnerability impacting Windows 7 to 10, and Windows Server 2008 to 2022.

In an advisory, Microsoft said: “An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it.”

Dustin Childs of the Zero Day Initiative said that to exploit CVE-2022-26925, “the threat actor would need to be in the logical network path between the target and the resource requested, eg man-in-the-middle, but since this is listed as under active attack, someone must have figured out how to make that happen”.

Immersive Labs director of threat research, Kev Breen, added: “While the advisory lists this as a CVSS of 7.1, the score jumps to a 9.8 when used as part of an NTLM attack. While all servers are affected, domain controllers should be a priority for protection as, once exploited, this provides high-level access to privileges, often known as ‘the keys to the kingdom’.”

Alongside CVE-2022-26925, the two other zero-days in the latest update are CVE-2022-22713 in Windows Hyper-V, and CVE-2022-29972 in the Magnitude Simba Amazon Redshift ODBC Drive. Neither is yet known to have been exploited.

Greg Wiseman, lead product manager at Rapid7, broke down these additional zero-days. “CVE-2022-22713 is a denial-of-service vulnerability that affects Hyper-V servers running relatively recent versions of Windows (20H2 and later),” he said.

“CVE-2022-29972 is a critical RCE [remote code execution vulnerability] that affects the Amazon Redshift ODBC driver used by Microsoft’s Self-hosted Integration Runtime, a client agent that enables on-premise data sources to exchange data with cloud services such as Azure Data Factory and Azure Synapse Pipelines.”

Wiseman added: “This vulnerability also prompted Microsoft to publish their first guidance-based advisory of the year, ADV220001, indicating their plans to strengthen tenant isolation in their cloud services without actually providing any specific details or actions to be taken by customers.”

Meanwhile, Allan Liska of Recorded Future assessed some of the other more noteworthy vulnerabilities acknowledged on the second-to-last Patch Tuesday ever, at least in its current form, ahead of the planned launch of Windows Autopatch.

“CVE-2022-22012 and CVE-2022-29130 are both remote code execution vulnerabilities in Microsoft’s LDAP service. These vulnerabilities have both been labelled Critical by Microsoft, with CVSS scores of 9.8,” said Liska.

“That being said, Microsoft cautions in its bulletin for both that: ‘This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.’ It does appear that having the MaxReceiveBuffer set to a higher value than the default is an uncommon configuration, but if your organisation does, this should be prioritised for patching.”

Liska continued: “CVE-2022-26937 is a remote code execution vulnerability in the network file system [NFS]. This is a serious vulnerability that impacts Windows Server 2008 through 2022 and is labelled Critical by Microsoft with a CVSS score of 9.8. This vulnerability only affects NFSV2 and NFSV3, and Microsoft has included instructions for disabling these versions of the NFS in the bulletin. Microsoft labels the ease of exploitation of this vulnerability as ‘Exploitation More Likely’.

“As with CVE-2021-36942, a similar vulnerability, CVE-2021-26432 was released in August 2021. Given the similarities between these vulnerabilities and those of August 2021, we could all be in store for a rough May.”