This month’s Patch Tuesday offers some much-needed respite for IT teams. However, there are still a few critical vulnerabilities for administrators to focus on to reduce the risk of a breach at their organization – including a particularly nasty remote code execution vulnerability in Windows Network File System (NFS).
June’s Patch Tuesday sees vulnerabilities fall even lower than May, with just 55 vulnerabilities patched. That’s the lowest number we’ve seen since February 2022, and a similar volume to June of last year. If that’s any indication, administrators should be taking advantage of a relatively light month to prepare for what could be a heavy July.
This month, just three critical vulnerabilities were patched by Microsoft, heavy-hitting and widely used products and services like Hyper-V, Lightweight Directory Access Protocol (LDAP), and Network File System (NFS) were all impacted by vulnerabilities that allow for remote code execution when exploited. These vulnerabilities all require immediate action from administrators to patch. CVE-2022-30136 is particularly dangerous, netting a CVSSv3.1 9.8/10 for an RCE vulnerability in NFS that Microsoft notes is more likely to be a target for exploitation.
We also saw actively exploited and publicly-disclosed vulnerabilities return to zero, a three-month trend that was broken by last month’s (May) Patch Tuesday.
June’s vulnerability breakdown sees zero exploited vulnerabilities, and just three critical vulnerabilities patched across LDAP, Hyper-V, and NFS – all adopted at enterprises of nearly all sizes. All three of the vulnerabilities are remote code execution vulnerabilities.
CVE-2022-30163 – Windows Hyper-V Remote Code Execution Vulnerability – Critical
CVE-2022-30163 is a critical remote code execution (RCE) vulnerability within Windows Hyper-V, affecting multiple flavors of Windows and Windows Server. The attack complexity for this vulnerability is high and successful exploitation requires the attacker to win a race condition. In other words, the attacker would need to take advantage of the sequence in which the system processes tasks to trick the system into carrying out unauthorized actions in addition to its normal processes. In this case, a successful attack could be performed from a low-privilege Hyper-V guest. The attacker could traverse the guest’s security boundary to execute code on the Hyper-V host execution environment. Exploitation of this vulnerability is considered less likely, but given the critical severity, should be remediated within 72 hours to ensure minimum exposure. – Justin Knapp
CVE-2022-30139 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability – Critical
CVE-2022-30139 is a critical vulnerability in Windows Lightweight Directory Access Protocol (LDAP) with a base CVSSv3.1 of 8.1/10. When exploited, a complex attack without any end user interaction allows for remote code execution.
Although severe, systems are only vulnerable to attack with non-default configuration. If the MaxReceiveBuffer LDAP policy is set to a value higher than the default. If you have the MaxReceiveBuffer policy set to a non-default configuration, systems running Windows 10 (32, x64, and ARM) including versions 1607, 1809, 20H2, 21H, 21H2, and Windows 11. Organizations running Windows Server 2016 and up (including core versions) may also be vulnerable. – Peter Pflaster
CVE-2022-30136 – Windows Network File System Remote Code Execution Vulnerability - Critical
CVE-2022-30136 has a critical severity rating with low attack complexity impacting Windows Server 2012, 2012 R2, 2016, and 2019. Successful exploitation can be made over a network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).
Mitigating this vulnerability is highly recommended. This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as a temporary mitigation.
Warning: You should NOT apply this mitigation unless you have installed the May 2022 Windows security updates. Those updates address CVE-2022-26937 which is a critical vulnerability in NFSV2.0 and NFSV3.0.
The following PowerShell command will disable those versions:
PS C:\Set-NfsServerConfiguration -EnableNFSV4 $false
After running the command, you will need to restart NFS server or reboot the machine. To restart NFS server, start a cmd window with Run as Administrator, enter the following commands:
nfsadmin server stop
nfsadmin server start
To confirm that NFSv4.1 has been turned off, run the following command in a Powershell window:
- Gina Geisel
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.