News

Microsoft Patches Zero-Day Flaw in May's Security Patch Rollout

• By Chris Paoli
• 05/10/2022

Microsoft on Tuesday released its monthly batch of security fixes, consisting of 74 targeted holes, which may look like a relief for some after last month's massive 128 total.

IT's top priority should be CVE-2022-26925, an "important" Windows LSA spoofing vulnerability that has already been seen to be actively exploited by attackers. The spoofing flaw covers all supported versions of Windows and Windows Server.

While the main concern may only be rated important by Microsoft, it could be devastating if partnered with an additional attack, leading to a man-in-the-middle attack if gone unpatched, according to Greg Wiseman, manager at security firm Rapid7. "This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution (RCE)," said Wiseman. "This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers."

Thankfully, that's the only zero-day item for the month. Those looking to prioritize should take note of CVE-2022-26923, a "critical" hole that could lead to an elevation-of-privilege attack in the Active Directory Domain Server. This bulletin addresses an issue with certificate issuance, which can be exploited if an attacker uses an authenticated domain controller certificate to gain high levels of privilege on a targeted machine. The ease and widespread use of this type of attack mean that, while it's not actively being exploited, custom attacks focusing on this issue should be relatively easy to develop.

Microsoft this month is highlighting the importance of CVE-2022-29972, a fix that was actually released on Monday, but of significance to include with Tuesday's patch. It involves a publicly disclosed flaw in the third-party Amazon tool that affects Azure Data Factory, a Microsoft Cloud Extract Transform Load (ETL) service. If exploited, an attacker could compromise multiple Windows services with the use of remote commands across Integration Runtimes.

After investigating the disclosed flaw from Orca security, Microsoft said that it didn't find any misuse of the vulnerability and Azure customers won't need to take any steps to protect themselves. Per a Microsoft blog post:

There is no action needed from Azure Data Factory or Azure Synapse pipeline customers who are hosted in the Azure cloud (Azure Integration Runtime) or who host on-premises (Self-Hosted Integration Runtime) with auto-updates turned on. Self-host IR customers without auto-update need to take action to safeguard their deployments.

May's patch bundle also comes packed with the additional five bulletins, rated "critical":

• CVE-2022-21972: Point-to-point tunneling protocol remote code execution vulnerability in Windows OS and Server.
• CVE-2022-23270: Point-to-point tunneling protocol remote code execution vulnerability in Windows OS and Server.
• CVE-2022-22017: Remote desktop client remote code execution vulnerability in Windows 11 and Windows Server 2022.
• CVE-2022-26931: Windows Kerberos elevation-of-privilege vulnerability in all supported versions of Windows OS and Server.
• CVE-2022-26937: Windows Network File System remote code execution vulnerability in all supported versions of Windows Server.

Finally, take note to address bulletin CVE-2022-22713, a Windows Hyper-V denial-of-service flaw. While Microsoft has designated it as an "important" item with a somewhat low Common Vulnerability Scoring System (CVSS) score, it is a publicly disclosed flaw, so it's smart to assume attacks are on their way.

The full list of all 74 bulletins can be found here.