Otto  background

Patch Tuesday: May 2022 Brings Some Heavy-Hitting Vulnerabilities

Automox Experts Weigh in on May 2022 Patch Tuesday Release

Connect With Us

Start now, and patch, configure, and control all your endpoints in just 15 minutes.

May 2022 Patch Tuesday Overview

There's an old proverb: March comes in like a lion and goes out like a lamb. And if you’re a fan of classic Saturday Night Live, you may remember that in other countries, March comes in like a wildebeest and goes out like an ant.

But when it comes to Patch Tuesday for April, the proverb needs some slight adjustment.

Microsoft Critical Vulnerability Breakdown

Contrary to the lightness of March, April Patch Tuesday has roared in like a lion to deliver us 129 total Microsoft vulnerabilities, an amount not seen since September of 2020. That’s far more than in any month in 2021 or so far in 2022. And the number of vulnerabilities is 72 percent higher than the 12-month rolling average of 75.
 
Also, SecOps and ITOps teams will have their hands full this month with ten critical vulnerabilities, almost double the 12-month average of 5.75 and the highest so far in 2022.
 
The big news is several critical vulnerabilities need to be highlighted for immediate action. Microsoft Hyper-V is their hypervisor that lets you create and run virtual machines. Microsoft reported a whopping nine vulnerabilities for Hyper-V – three of them critical, all of which are remote code execution vulnerabilities.
 
Next, pay attention to critical vulnerabilities that impact Windows Network File System. This is a component found in the different versions of Windows Server that enables the transfer of files between computers running Windows and other non-Windows operating systems, such as Linux. The two critical remote code execution vulnerabilities are particularly nasty and carry CVSS (Common Vulnerability Scoring System) scores of 9.8/10.


Ten Microsoft applications and components are responsible for more than 55% of the reported vulnerabilities for April. Topping the list is the Windows DNS Server, with over 12% of the vulnerabilities. Next are vulnerabilities impacting Windows Print Spooler components. Automox recommends that you focus remediation efforts on the critical vulnerabilities outlined.

All ten of April’s critical vulnerabilities are Remote Code Execution – these allow an attacker to remotely execute malicious code on a computer. But when we look at the total 129 vulnerabilities, only 37 percent are this type. The majority of 43 percent for April is actually made up of Elevation of Privilege vulnerabilities. These allow an attacker to change their access rights from "read-only" to "read and write,” for example.

Finally, as we remind you every month, Automox recommends that all critical and exploited vulnerabilities be patched within a 72-hour window, particularly those impacting Microsoft Hyper-V and Windows Network File System.

Microsoft 

CVE-2022-26919 - Windows LDAP Remote Code Execution Vulnerability - Critical
CVE-2022-26919 is a vulnerability that could allow an authenticated user to execute arbitrary code on a Windows LDAP server remotely. It has a CVSS of 8.1 and a severity rating of Critical. Affected software includes Windows 7, 8.1, 10, and 11, Windows Server 2008, 2012,  2016, 2019, 2022, and 20H2. Though this vulnerability can allow a malicious actor to execute code remotely, it has not been exploited. To be exploitable, an administrator must increase the MaxReceiveBuffer LDAP setting from the default. – Jessica Starkey

CVE-2022-23259 - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability - Critical
CVE-2022-23259 is a critical remote code execution vulnerability identified in Microsoft Dynamics 365. Microsoft Dynamics 365 is a resource planning and customer relationship management (CRM) tool from Microsoft, and this vulnerability is present in the 9.0 and 9.1 versions of their on-premise option. Remote code execution vulnerabilities are particularly sensitive given that they enable attackers to run malicious code on the exploited systems directly. Therefore, it’s highly recommended IT administrators remediate this vulnerability within 72 hours to minimize exposure to threat actors, especially in a tool with access to sensitive customer and business data like a CRM solution. This vulnerability is similar in nature to CVE-2021-42316 back in November 2021. – Jay Goodman

CVE-2022-23257 - Windows Hyper-V Remote Code Execution Vulnerability - Critical
CVE-2022-24537 - Windows Hyper-V Remote Code Execution Vulnerability - Critical
CVE-2022-22008 - Windows Hyper-V Remote Code Execution Vulnerability - Critical

CVE-2022-23257, CVE-2022-24537, and CVE-2022-22008 are a trio of Remote Code Execution Vulnerabilities, all found in Windows Hyper-V, the native Microsoft hypervisor. According to their CVSS scores, all three have an attacker vector of local and user interaction required. That means an attacker would likely have to trick a user into clicking on a malicious email link or attachment leading them to a malicious website hosted by the attacker or compromised website. While CVE-2022-23257 and CVE-2022-24537 are very similar, the attacker would have to entice a user to execute a specially crafted application or script; CVE-2022-22008 requires an attacker to win a race condition. Successful exploitation of this vulnerability would allow a Hyper-V guest to affect the functionality of the Hyper-V host. While successful exploitation of these vulnerabilities is less likely, and we have not seen these vulnerabilities exploited in the wild, I highly recommend patching these as soon as possible if you are utilizing Hyper-V in your environment today. – Chris Hass

CVE-2022-24491 - Windows Network File System Remote Code Execution Vulnerability - Critical
CVE-2022-24497 - Windows Network File System Remote Code Execution Vulnerability - Critical

CVE-2022-24497 and CVE-2002-24491 are essentially one vulnerability. Both are critical remote code execution vulnerabilities with a huge CVSS score of 9.8 that impact the same Windows Network File System and are identical across every base score metric. The only difference between the two CVEs is the security researchers that identified them. These vulnerabilities are  exploitable by Windows Servers with NFS (Network File System) role enabled and requires attackers to send a specially crafted protocol network message to a vulnerable Windows machine. Given the low attack complexity, high CVSS score, and that no user interaction or privileges are required, this CVE is more likely to be exploited. Automox recommends patching this vulnerability within 24 hours. Another route for remediation is uninstalling the NFS role from your impacted Windows Servers. – Aleks Haugom

CVE-2022-26809 - RPC Runtime Library Remote Code Execution Vulnerability - Critical
CVE-2022-26809 is an Elevation of Privilege Vulnerability with a 9.8 criticality rating that impacts the Microsoft RPC runtime library. It affects Windows 7, 8.1, and 10, and Windows Server 2008, 2016, 2019, 2022, and 20H2. Although Elevation of Privilege vulnerabilities can allow attackers to gain admin access privileges and take all ilk of malicious actions, the good news is this CVE has not been exploited and can be mitigated by blocking port 445 at the enterprise perimeter firewall. However, as the Microsoft RPC runtime library manages most of the processes relating to network protocols and communication, and due to the high CVSS score, Automox recommends remediating this vulnerability immediately. –  Shari Barnett 

CVE-2022-24541 - Windows Server Service Remote Code Execution Vulnerability - Critical
CVE-2021-24541 is a critical remote code execution vulnerability for SMB traffic with low attack complexity. This impacts the server service of multiple versions of Windows 7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022. Server Service is a component of the Microsoft Windows operating systems that allows a server to share files and print resources with clients over a network. This vulnerability requires that a user with an affected version of Windows access a malicious server, often when an attacker hosts a specially crafted server share or website and then convinces the user to visit, typically through an email or chat message. 

Several mitigation factors are suggested, based on your circumstances. First, block TCP port 445 at the enterprise perimeter firewall. TCP port 445 is used to initiate a connection with the affected component, and blocking this port will help protect systems behind that firewall from exploit attempts. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter. The second recommendation is to follow Microsoft guidelines to prevent SMB traffic from lateral connections and entering or leaving the network. –  Gina Geisel


CVE-2022-24500 - Windows SMB Remote Code Execution Vulnerability - Critical
This Patch Tuesday, Microsoft released six security updates for Windows SMB, all for remote code execution vulnerabilities. Server Message Block (SMB) is a communication protocol that Microsoft created for providing shared access to files and printers across nodes on a network. Of the 6 CVEs, only one has been labeled as critical. To exploit CVE-2022-24500, user interaction is required; an attacker needs to direct a user to an SMB server so a malicious payload can be transferred as part of an OS API call. Directing a user can be achieved through social engineering or other methods. However, even the most well-trained users can fall prey to social engineering, so remediation is paramount. If, for whatever reason, this security update can’t be installed yet, blocking port 445 on the perimeter firewall can mitigate the risk of exploitation. However, this is not viable for remote systems, and at the same time, systems will still be vulnerable to attacks from within the enterprise perimeter. – Maarten Buis


CVE-2022-24530 - Windows Installer Elevation of Privilege Vulnerability - High and Publicly Disclosed
Microsoft released a fix for an elevation of privilege vulnerability in Windows Installer, the ubiquitous Windows tool for installing, maintaining, and removing software. Microsoft has publicly disclosed the vulnerability, though it reportedly has not been exploited in the wild. The vulnerability scores a 7.8 out of 10, as an attacker could leverage end user credentials and a simple attack locally to gain administrative privileges on the device.

Microsoft patched a similar elevation of privilege vulnerability, CVE-2021-43883, in Windows Installer in December of 2021. The vulnerability disclosed by Microsoft this month, CVE-2022-24530, affects all versions of Windows 7, 8, 10, and 11 plus Windows Server and Server Core 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2, and 2022. 
– Peter Pflaster

CVE-2022-26904 - Windows User Profile Service Elevation of Privilege Vulnerability - High and Publicly Disclosed
This month, Microsoft disclosed CVE-2022-26904 which impacts the Windows User Profile Service. This component stores information about users in a central location. This vulnerability could give a local (non-network) vector to an attacker, who could then elevate their user privileges. If an attacker were able to elevate the privileges on a user profile, this could give them lots of unwanted access to a Windows computer or, worse, a server. This high-complexity vulnerability requires no user interaction, but it’s still just a POC and has yet to be exploited in the wild. The user profile service affected is part of Windows and Windows Server. The high complexity rating is due to the fact that successful exploitation of this vulnerability requires an attacker to win a race condition, in other words, disrupting a process execution sequence. Because CVE-2022-21919 has been given a vulnerability score of “high,” it’s recommended that Windows and WinServer users update with the official Microsoft fix as soon as possible. 
– Chad McNaughton

Apple

On March 14 and 31, Apple released several updates that address security issues and provide additional functionality. 

Apple released macOS Monterey 12.3.1, iOS 15.4.1, and iPadOS 15.4.1 to remediate two potentially actively-exploited vulnerabilities. CVE-2022-22675 is a vulnerability that impacts the Apple audio and video decoding framework in all three operating systems and may have been actively exploited. The vulnerability may allow a threat actor to execute arbitrary code with kernel privileges.

CVE-2022-22674 is an out-of-bounds read vulnerability in the Intel Graphics driver that may allow an application to read kernel memory. This affects only the macOS and may have also been exploited in the wild.

For further detail about these critical vulnerabilities, please see our blog “Patch Now: Apple Announces Two Zero-Day Vulnerabilities for macOS & iOS.

Automox recommends applying these latest updates within 72 hours. 

Additional Apple updates include Safari 15.4 for macOS Big Sur and macOS Catalina, watchOS 8.5.1, tvOS 15.4.1, and GarageBand 10.4.6, among others. 

While the list of potential implications may impact a broad spectrum of capabilities, Apple does not typically discuss or confirm security issues until an investigation has occurred. As a result, Automox recommends prioritizing the update of all Apple mobile devices to the latest OS. – Eric Feldman

Google

On March 28, Google released a security update for a new and actively-exploited vulnerability in the Chrome V8 Javascript engine with CVE-2022-1096. Researchers have been credited with identifying the type of confusion vulnerability that, according to MITRE, “can lead to out-of-bounds memory access” in languages without memory protection. These include languages like C and C++. Google stated in the security update that they’re aware of exploits in the wild. This is a zero-day vulnerability, remediated with version 99.0.4844.84. Note that the stable channel update has since been updated to 100.0.4896.88 for Windows, Mac, and Linux. Due to the popularity of Google Chrome, Automox recommends prioritizing this update. – Eric Feldman

Adobe

Adobe’s Patch Tuesday saw updates for Acrobat and Reader, Commerce, After Effects, and Photoshop and fixed a total of 78 vulnerabilities across the four products, with 51 of the vulnerabilities allowing malicious code execution when exploited successfully.

Without a doubt, Adobe’s updates are led by a massive update for Acrobat and Reader DC 2020 and 2017 on macOS and Windows. The update fixes 62 vulnerabilities, including 35 critical (CVSS 7.8/10) arbitrary code execution vulnerabilities. 

If your organization uses Acrobat or Reader DC 2020 or 2017, we recommend updating within one to two weeks, as Adobe notes that these products are historically at an elevated risk of attack. The table below details affected versions for each product and operating system and the newly available, updated version. Review Adobe’s release notes within the Adobe Acrobat and Reader Security Bulletin for more information. – Peter Pflaster