In its April 2022 Patch Tues., Microsoft addressed a zero-day under active attack & several critical security vulnerabilities, including 3 that allow ‘self-propagating’ exploits.
They released patches for 128 security vulnerabilities for its April 2022 monthly scheduled update – 10 of them rated critical (incl. 3 wormable code-execution bugs that require no user interaction to exploit).
Privilege Escalation
There are also 2 important-rated zero-days that allow privilege escalation, including 1 listed as ‘under active exploit.’
Bugs in the update are found throughout the portfolio, including in Microsoft Windows & Windows Components, Microsoft Defender & Defender for Endpoint, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office & Office Components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET & Visual Studio, Windows App Store & Windows Print Spooler Components.
“This large volume of patches has not been seen since the Autumn of 2020. However, this level is similar to what we saw in the 1st quarter of last year,” Dustin Childs, Researcher at Trend Micro’s Zero Day Initiative, said in a blog breaking down the fixes.
Zero-Day Patches
The vulnerability that’s been exploited ‘in the wild’ ahead of patching allows privilege escalation, & is tracked as CVE-2022-24521. It rates 7.8 / 10 on the CVSS vulnerability-severity scale. It is listed as a “Windows Common Log File System Driver Execution Vulnerability,” & was reported to Microsoft by the US National Security Agency (NSA).
“It’s not stated how widely the exploit is being used in the wild, but it’s likely still targeted at this point & not broadly available,” Childs explained. “Go patch your systems before that situation changes.”
Code-Execution Bug
Researchers stated that attackers are likely ‘pairing it’ with a different code-execution bug in their campaigns. Thus, Immersive Labs’ Kevin Breen, Director of Cyber-Threat Research, places the actively exploited bug at ‘the top of the list’ for patching.
“Being the type of vulnerability for escalating privileges, this would indicate a threat actor is currently using it to aid lateral movement to capitalise on a pre-existing foothold,” he explained.
Windows User Profile
The 2nd zero-day is found in the Windows User Profile Service & is tracked as CVE-2022-26904.
It also allows privilege escalation, & rates a CVSS score of 7. Although it is listed as exploitation more likely, it has a high attack complexity, Microsoft noted in its advisory, because “successful exploitation of this vulnerability requires an attacker to win a race condition.”
However, researchers at Tripwire noted that exploit code is available for the bug, including in the Metasploit framework.
Critical Concerns
Of the critical flaws, all of which allow remote code-execution (RCE), researchers tagged a bug that could allow for ‘self-propagating’ exploits (CVE-2022-26809) as being of most concern.
It exists in the Remote Procedure Call (RPC) Runtime Library, & rates 9.8 out of 10 on the CVSS scale, with exploitation noted as more likely. If exploited, a remote attacker could execute code with high privileges.
Danny Kim, Principal Architect at Virsec, noted that the vulnerability is found in Microsoft’s Server Message Block (SMB) functionality, which is used mainly for file-sharing & inter-process communication, including Remote Procedure Calls.
Communication Technique
RPC is a communication technique that allows for 1 program to request a service or functionality from another program located on the network (internet and/or intranet). RPCs can be used in technologies such as storage replica or managing shared volumes.
“This vulnerability is another example of an attacker taking advantage of legitimate functionality for malicious gain,” he outlined. “Using the vulnerability, an attacker can create a specially crafted RPC to execute code on the remote server with the same permissions as the RPC service.”
Dangerous Threats
The bug could be used to create especially dangerous threats, according to Childs.
“Since no user interaction is required, these factors combine to make this wormable, at least between machines where RPC can be reached,” Childs noted.
Microsoft recommends configuring firewall rules to help prevent this vulnerability from being exploited; the static port used (TCP port 135) can be blocked at the network perimeter.
“Still, this bug could be used for lateral movement by an attacker,” Childs warned. “Definitely evaluate & deploy this one quickly.”
Network File System (NFS)
Next are CVE-2022-24491/24497, 2x RCE bugs that affect the Windows Network File System (NFS). they also have CVSS scores of 9.8, & both are listed as exploitation more likely. They also allow the potential for worming exploits, Childs warned.
“On systems where the NFS role is enabled, a remote attacker could execute their code on an affected system with high privileges & without user interaction,” Childs explained. “Again, that adds up to a wormable bug – at least between NFS servers. Similar to RPC, this is often blocked at the network perimeter.”
Immersive’s Breen added, “These could be the kind of vulnerabilities which appeal to ransomware operators as they provide the potential to expose critical data. It is also important for security teams to note that NFS Role is not a default configuration for Windows devices.”
Critical Vulnerabilities
The other critical vulnerabilities are as follows:
- CVE-2022-23259: Microsoft Dynamics 365 (on-premises) (CVSS 8.8)
- CVE-2022-22008: Windows Hyper-V (CVSS 7.7)
- CVE-2022-23257: Windows Hyper-V (CVSS 8.6)
- CVE-2022-24537: Windows Hyper-V (CVSS 7.7)
- CVE-2022-26919: Windows LDAP (CVSS 8.1)
- CVE-2022-24541: Windows Server (CVSS 8.8)
- CVE-2022-24500: Windows SMB (CVSS 8.8)
Other Bugs
Also note: Of 18 bugs found in the Windows Domain Name Server (DNS), one (CVE-2022-26815) allows RCE & is listed as important, with a CVSS score of 7.2.
Microsoft stated that while attack complexity is low, “the attacker or targeted user would need specific elevated privileges for successful exploitation. As is best practice, regular validation & audits of administrative groups should be conducted.”
Mitigations
Finally, “there are a couple of important mitigations to point out here,” Childs outlined.
“The 1st is that dynamic updates must be enabled for a server to be affected by this bug. The CVSS also lists ‘some level of privileges’ to exploit. Still, any chance of an attacker getting RCE on a DNS server is too many, so get your DNS servers patched.”