Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft May 2022 Patch Tuesday - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft May 2022 Patch Tuesday

This month we got patches for 75 vulnerabilities. Of these, 8 are critical, 3 were previously disclosed, and one is already being exploited according to Microsoft.

The already exploited vulnerability is a spoofing vulnerability affecting Windows LSA (CVE-2022-26925) with a CVSS score of 8.1. According to the advisory, “An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it.” Additionally, Microsoft advises that further actions, detailed in KB5005413, are needed to protect the system after applying the patch. Microsoft also advises prioritizing domain controllers when applying patches. Regarding attack complexity, the advisory says it is “Complex” given that the attacker must inject themselves into the logical network path between the target and the resource requested by the victim in order to read or modify network communications (MITM attack).

The highest CVSS score this month (9.8) is associated with a Remote Code Execution (RCE) Vulnerability affecting Windows Network File System (CVE-2022-26937). The vulnerability does not affect version NFSV4.1. So, as temporary mitigation, disabling versions NFSV2 and NFSV3 might be helpful. A similar vulnerability affecting NFS, discovered by the same researchers, was patched last month (CVE-2022-24497).

There is also an RCE CVSS 9.8 affecting Windows LDAP (CVE-2022-22012). According to the advisory, "this vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable". 

It's also worth mentioning an elevation of privilege vulnerability affecting Active Directory Domain Services (CVE-2022-26923). The vulnerability is present only on systems Active Directory Certificate Services on the domain. According to the advisory, “An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege”. The CVSS for this vulnerability is 8.8.

May 2022 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Framework Denial of Service Vulnerability
CVE-2022-30130 No No - - Low 3.3 2.9
.NET and Visual Studio Denial of Service Vulnerability
CVE-2022-23267 No No Less Likely Less Likely Important 7.5 6.5
CVE-2022-29117 No No Less Likely Less Likely Important 7.5 6.5
CVE-2022-29145 No No Less Likely Less Likely Important 7.5 6.5
Active Directory Domain Services Elevation of Privilege Vulnerability
CVE-2022-26923 No No More Likely More Likely Critical 8.8 7.7
BitLocker Security Feature Bypass Vulnerability
CVE-2022-29127 No No Less Likely Less Likely Important 4.2 3.7
Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver
CVE-2022-29972 Yes No More Likely More Likely Critical    
Microsoft Excel Remote Code Execution Vulnerability
CVE-2022-29109 No No Less Likely Less Likely Important 7.8 6.8
CVE-2022-29110 No No Less Likely Less Likely Important 7.8 6.8
Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2022-21978 No No Less Likely Less Likely Important 8.2 7.1
Microsoft Office Security Feature Bypass Vulnerability
CVE-2022-29107 No No Less Likely Less Likely Important 5.5 4.8
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2022-29108 No No More Likely More Likely Important 8.8 7.7
Microsoft Windows Media Foundation Remote Code Execution Vulnerability
CVE-2022-29105 No No Less Likely Less Likely Important 7.8 6.8
Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
CVE-2022-21972 No No Less Likely Less Likely Critical 8.1 7.1
CVE-2022-23270 No No More Likely More Likely Critical 8.1 7.1
Remote Desktop Client Remote Code Execution Vulnerability
CVE-2022-22017 No No More Likely More Likely Critical 8.8 7.7
Remote Desktop Protocol Client Information Disclosure Vulnerability
CVE-2022-26940 No No Less Likely Less Likely Important 6.5 5.7
Remote Procedure Call Runtime Remote Code Execution Vulnerability
CVE-2022-22019 No No Less Likely Less Likely Important 8.8 7.7
Storage Spaces Direct Elevation of Privilege Vulnerability
CVE-2022-26932 No No Less Likely Less Likely Important 8.2 7.1
CVE-2022-26938 No No Less Likely Less Likely Important 7.0 6.1
CVE-2022-26939 No No Less Likely Less Likely Important 7.0 6.1
Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability
CVE-2022-29126 No No Less Likely Less Likely Important 7.0 6.1
Upcoming improvements to Azure Data Factory and Azure Synapse Pipeline infrastructure in response to CVE-2022-29972
ADV220001 No No - - Critical    
Visual Studio Code Remote Code Execution Vulnerability
CVE-2022-30129 No No Less Likely Less Likely Important 8.8 7.7
Visual Studio Remote Code Execution Vulnerability
CVE-2022-29148 No No Less Likely Less Likely Important 7.8 6.8
Windows ALPC Elevation of Privilege Vulnerability
CVE-2022-23279 No No More Likely More Likely Important 7.0 6.1
Windows Address Book Remote Code Execution Vulnerability
CVE-2022-26926 No No Less Likely Less Likely Important 7.8 6.8
Windows Authentication Security Feature Bypass Vulnerability
CVE-2022-26913 No No Less Likely Less Likely Important 7.4 6.4
Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability
CVE-2022-29135 No No Less Likely Less Likely Important 7.0 6.1
CVE-2022-29150 No No Less Likely Less Likely Important 7.0 6.1
CVE-2022-29151 No No Less Likely Less Likely Important 7.0 6.1
Windows Clustered Shared Volume Elevation of Privilege Vulnerability
CVE-2022-29138 No No Less Likely Less Likely Important 7.0 6.1
Windows Clustered Shared Volume Information Disclosure Vulnerability
CVE-2022-29134 No No Less Likely Less Likely Important 6.5 5.7
CVE-2022-29120 No No Less Likely Less Likely Important 6.5 5.7
CVE-2022-29122 No No Less Likely Less Likely Important 6.5 5.7
CVE-2022-29123 No No Less Likely Less Likely Important 6.5 5.9
Windows Digital Media Receiver Elevation of Privilege Vulnerability
CVE-2022-29113 No No Less Likely Less Likely Important 7.8 6.8
Windows Failover Cluster Information Disclosure Vulnerability
CVE-2022-29102 No No Less Likely Less Likely Important 5.5 4.8
Windows Fax Service Remote Code Execution Vulnerability
CVE-2022-29115 No No Less Likely Less Likely Important 7.8 6.8
Windows Graphics Component Information Disclosure Vulnerability
CVE-2022-26934 No No Less Likely Less Likely Important 6.5 5.7
CVE-2022-22011 No No Less Likely Less Likely Important 5.5 4.8
CVE-2022-29112 No No Less Likely Less Likely Important 6.5 5.7
Windows Graphics Component Remote Code Execution Vulnerability
CVE-2022-26927 No No Less Likely Less Likely Important 8.8 7.7
Windows Hyper-V Denial of Service Vulnerability
CVE-2022-22713 Yes No Less Likely Less Likely Important 5.6 5.1
Windows Hyper-V Security Feature Bypass Vulnerability
CVE-2022-24466 No No Less Likely Less Likely Important 4.1 3.6
Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability
CVE-2022-29106 No No Less Likely Less Likely Important 7.0 6.1
Windows Kerberos Elevation of Privilege Vulnerability
CVE-2022-26931 No No Less Likely Less Likely Critical 7.5 6.5
Windows Kernel Elevation of Privilege Vulnerability
CVE-2022-29133 No No Less Likely Less Likely Important 8.8 7.7
CVE-2022-29142 No No More Likely More Likely Important 7.0 6.1
Windows Kernel Information Disclosure Vulnerability
CVE-2022-29116 No No Less Likely Less Likely Important 4.7 4.1
Windows LDAP Remote Code Execution Vulnerability
CVE-2022-22012 No No Less Likely Less Likely Important 9.8 8.5
CVE-2022-22013 No No Less Likely Less Likely Important 8.8 7.7
CVE-2022-22014 No No Less Likely Less Likely Important 8.8 7.7
CVE-2022-29128 No No Less Likely Less Likely Important 8.8 7.7
CVE-2022-29129 No No Less Likely Less Likely Important 8.8 7.7
CVE-2022-29130 No No Less Likely Less Likely Important 9.8 8.5
CVE-2022-29131 No No Less Likely Less Likely Important 8.8 7.7
CVE-2022-29137 No No Less Likely Less Likely Important 8.8 7.7
CVE-2022-29139 No No Less Likely Less Likely Important 8.8 7.7
CVE-2022-29141 No No Less Likely Less Likely Important 8.8 7.7
Windows LSA Spoofing Vulnerability
CVE-2022-26925 Yes Yes Detected Detected Important 8.1 7.1
Windows NTFS Information Disclosure Vulnerability
CVE-2022-26933 No No Less Likely Less Likely Important 5.5 4.8
Windows Network File System Remote Code Execution Vulnerability
CVE-2022-26937 No No More Likely More Likely Critical 9.8 8.5
Windows PlayToManager Elevation of Privilege Vulnerability
CVE-2022-22016 No No Less Likely Less Likely Important 7.0 6.1
Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2022-29104 No No More Likely More Likely Important 7.8 6.8
CVE-2022-29132 No No More Likely More Likely Important 7.8 6.8
Windows Print Spooler Information Disclosure Vulnerability
CVE-2022-29114 No No More Likely More Likely Important 5.5 4.8
CVE-2022-29140 No No Less Likely Less Likely Important 5.5 4.8
Windows Push Notifications Apps Elevation of Privilege Vulnerability
CVE-2022-29125 No No Less Likely Less Likely Important 7.0 6.1
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
CVE-2022-29103 No No Less Likely Less Likely Important 7.8 6.8
Windows Remote Access Connection Manager Information Disclosure Vulnerability
CVE-2022-26930 No No Less Likely Less Likely Important 5.5 4.8
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
CVE-2022-22015 No No Less Likely Less Likely Important 6.5 5.7
Windows Server Service Information Disclosure Vulnerability
CVE-2022-26936 No No Less Likely Less Likely Important 6.5 5.7
Windows WLAN AutoConfig Service Denial of Service Vulnerability
CVE-2022-29121 No No Less Likely Less Likely Important 6.5 5.7
Windows WLAN AutoConfig Service Information Disclosure Vulnerability
CVE-2022-26935 No No Less Likely Less Likely Important 6.5 5.7

--
Renato Marinho
Morphus Labs| LinkedIn|Twitter

Renato

82 Posts
ISC Handler
May 13th 2022

Sign Up for Free or Log In to start participating in the conversation!