April Roars in with the Most Vulnerabilities Since 2020

Automox Experts Weigh in on April 2022 Patch Tuesday Release

April 2022 Patch Tuesday Overview

There's an old proverb: March comes in like a lion and goes out like a lamb. And if you’re a fan of classic Saturday Night Live, you may remember that in other countries, March comes in like a wildebeest and goes out like an ant.

But when it comes to Patch Tuesday for April, the proverb needs some slight adjustment.

Microsoft Critical Vulnerability Breakdown

Contrary to the lightness of March, April Patch Tuesday has roared in like a lion to deliver us 129 total Microsoft vulnerabilities, an amount not seen since September of 2020. That’s far more than in any month in 2021 or so far in 2022. And the number of vulnerabilities is 72 percent higher than the 12-month rolling average of 75.
 
Also, SecOps and ITOps teams will have their hands full this month with ten critical vulnerabilities, almost double the 12-month average of 5.75 and the highest so far in 2022.
 
The big news is several critical vulnerabilities need to be highlighted for immediate action. Microsoft Hyper-V is their hypervisor that lets you create and run virtual machines. Microsoft reported a whopping nine vulnerabilities for Hyper-V – three of them critical, all of which are remote code execution vulnerabilities.
 
Next, pay attention to critical vulnerabilities that impact Windows Network File System. This is a component found in the different versions of Windows Server that enables the transfer of files between computers running Windows and other non-Windows operating systems, such as Linux. The two critical remote code execution vulnerabilities are particularly nasty and carry CVSS (Common Vulnerability Scoring System) scores of 9.8/10.


Ten Microsoft applications and components are responsible for more than 55% of the reported vulnerabilities for April. Topping the list is the Windows DNS Server, with over 12% of the vulnerabilities. Next are vulnerabilities impacting Windows Print Spooler components. Automox recommends that you focus remediation efforts on the critical vulnerabilities outlined.

All ten of April’s critical vulnerabilities are Remote Code Execution – these allow an attacker to remotely execute malicious code on a computer. But when we look at the total 129 vulnerabilities, only 37 percent are this type. The majority of 43 percent for April is actually made up of Elevation of Privilege vulnerabilities. These allow an attacker to change their access rights from "read-only" to "read and write,” for example.

Finally, as we remind you every month, Automox recommends that all critical and exploited vulnerabilities be patched within a 72-hour window, particularly those impacting Microsoft Hyper-V and Windows Network File System.

Microsoft 

CVE-2022-26919 - Windows LDAP Remote Code Execution Vulnerability - Critical
CVE-2022-26919 is a vulnerability that could allow an authenticated user to execute arbitrary code on a Windows LDAP server remotely. It has a CVSS of 8.1 and a severity rating of Critical. Affected software includes Windows 7, 8.1, 10, and 11, Windows Server 2008, 2012,  2016, 2019, 2022, and 20H2. Though this vulnerability can allow a malicious actor to execute code remotely, it has not been exploited. To be exploitable, an administrator must increase the MaxReceiveBuffer LDAP setting from the default. – Jessica Starkey

CVE-2022-23259 - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability - Critical
CVE-2022-23259 is a critical remote code execution vulnerability identified in Microsoft Dynamics 365. Microsoft Dynamics 365 is a resource planning and customer relationship management (CRM) tool from Microsoft, and this vulnerability is present in the 9.0 and 9.1 versions of their on-premise option. Remote code execution vulnerabilities are particularly sensitive given that they enable attackers to run malicious code on the exploited systems directly. Therefore, it’s highly recommended IT administrators remediate this vulnerability within 72 hours to minimize exposure to threat actors, especially in a tool with access to sensitive customer and business data like a CRM solution. This vulnerability is similar in nature to CVE-2021-42316 back in November 2021. – Jay Goodman

CVE-2022-23257 - Windows Hyper-V Remote Code Execution Vulnerability - Critical
CVE-2022-24537 - Windows Hyper-V Remote Code Execution Vulnerability - Critical
CVE-2022-22008 - Windows Hyper-V Remote Code Execution Vulnerability - Critical

CVE-2022-23257, CVE-2022-24537, and CVE-2022-22008 are a trio of Remote Code Execution Vulnerabilities, all found in Windows Hyper-V, the native Microsoft hypervisor. According to their CVSS scores, all three have an attacker vector of local and user interaction required. That means an attacker would likely have to trick a user into clicking on a malicious email link or attachment leading them to a malicious website hosted by the attacker or compromised website. While CVE-2022-23257 and CVE-2022-24537 are very similar, the attacker would have to entice a user to execute a specially crafted application or script; CVE-2022-22008 requires an attacker to win a race condition. Successful exploitation of this vulnerability would allow a Hyper-V guest to affect the functionality of the Hyper-V host. While successful exploitation of these vulnerabilities is less likely, and we have not seen these vulnerabilities exploited in the wild, I highly recommend patching these as soon as possible if you are utilizing Hyper-V in your environment today. – Chris Hass

CVE-2022-24491 - Windows Network File System Remote Code Execution Vulnerability - Critical
CVE-2022-24497 - Windows Network File System Remote Code Execution Vulnerability - Critical

CVE-2022-24497 and CVE-2002-24491 are essentially one vulnerability. Both are critical remote code execution vulnerabilities with a huge CVSS score of 9.8 that impact the same Windows Network File System and are identical across every base score metric. The only difference between the two CVEs is the security researchers that identified them. These vulnerabilities are  exploitable by Windows Servers with NFS (Network File System) role enabled and requires attackers to send a specially crafted protocol network message to a vulnerable Windows machine. Given the low attack complexity, high CVSS score, and that no user interaction or privileges are required, this CVE is more likely to be exploited. Automox recommends patching this vulnerability within 24 hours. Another route for remediation is uninstalling the NFS role from your impacted Windows Servers. – Aleks Haugom

CVE-2022-26809 - RPC Runtime Library Remote Code Execution Vulnerability - Critical
CVE-2022-26809 is an Elevation of Privilege Vulnerability with a 9.8 criticality rating that impacts the Microsoft RPC runtime library. It affects Windows 7, 8.1, and 10, and Windows Server 2008, 2016, 2019, 2022, and 20H2. Although Elevation of Privilege vulnerabilities can allow attackers to gain admin access privileges and take all ilk of malicious actions, the good news is this CVE has not been exploited and can be mitigated by blocking port 445 at the enterprise perimeter firewall. However, as the Microsoft RPC runtime library manages most of the processes relating to network protocols and communication, and due to the high CVSS score, Automox recommends remediating this vulnerability immediately. –  Shari Barnett 

CVE-2022-24541 - Windows Server Service Remote Code Execution Vulnerability - Critical
CVE-2021-24541 is a critical remote code execution vulnerability for SMB traffic with low attack complexity. This impacts the server service of multiple versions of Windows 7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022. Server Service is a component of the Microsoft Windows operating systems that allows a server to share files and print resources with clients over a network. This vulnerability requires that a user with an affected version of Windows access a malicious server, often when an attacker hosts a specially crafted server share or website and then convinces the user to visit, typically through an email or chat message. 

Several mitigation factors are suggested, based on your circumstances. First, block TCP port 445 at the enterprise perimeter firewall. TCP port 445 is used to initiate a connection with the affected component, and blocking this port will help protect systems behind that firewall from exploit attempts. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter. The second recommendation is to follow Microsoft guidelines to prevent SMB traffic from lateral connections and entering or leaving the network. –  Gina Geisel


CVE-2022-24500 - Windows SMB Remote Code Execution Vulnerability - Critical
This Patch Tuesday, Microsoft released six security updates for Windows SMB, all for remote code execution vulnerabilities. Server Message Block (SMB) is a communication protocol that Microsoft created for providing shared access to files and printers across nodes on a network. Of the 6 CVEs, only one has been labeled as critical. To exploit CVE-2022-24500, user interaction is required; an attacker needs to direct a user to an SMB server so a malicious payload can be transferred as part of an OS API call. Directing a user can be achieved through social engineering or other methods. However, even the most well-trained users can fall prey to social engineering, so remediation is paramount. If, for whatever reason, this security update can’t be installed yet, blocking port 445 on the perimeter firewall can mitigate the risk of exploitation. However, this is not viable for remote systems, and at the same time, systems will still be vulnerable to attacks from within the enterprise perimeter. – Maarten Buis


CVE-2022-24530 - Windows Installer Elevation of Privilege Vulnerability - High and Publicly Disclosed
Microsoft released a fix for an elevation of privilege vulnerability in Windows Installer, the ubiquitous Windows tool for installing, maintaining, and removing software. Microsoft has publicly disclosed the vulnerability, though it reportedly has not been exploited in the wild. The vulnerability scores a 7.8 out of 10, as an attacker could leverage end user credentials and a simple attack locally to gain administrative privileges on the device.

Microsoft patched a similar elevation of privilege vulnerability, CVE-2021-43883, in Windows Installer in December of 2021. The vulnerability disclosed by Microsoft this month, CVE-2022-24530, affects all versions of Windows 7, 8, 10, and 11 plus Windows Server and Server Core 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2, and 2022. 
– Peter Pflaster

CVE-2022-26904 - Windows User Profile Service Elevation of Privilege Vulnerability - High and Publicly Disclosed
This month, Microsoft disclosed CVE-2022-26904 which impacts the Windows User Profile Service. This component stores information about users in a central location. This vulnerability could give a local (non-network) vector to an attacker, who could then elevate their user privileges. If an attacker were able to elevate the privileges on a user profile, this could give them lots of unwanted access to a Windows computer or, worse, a server. This high-complexity vulnerability requires no user interaction, but it’s still just a POC and has yet to be exploited in the wild. The user profile service affected is part of Windows and Windows Server. The high complexity rating is due to the fact that successful exploitation of this vulnerability requires an attacker to win a race condition, in other words, disrupting a process execution sequence. Because CVE-2022-21919 has been given a vulnerability score of “high,” it’s recommended that Windows and WinServer users update with the official Microsoft fix as soon as possible. 
– Chad McNaughton

Apple

On March 14 and 31, Apple released several updates that address security issues and provide additional functionality. 

Apple released macOS Monterey 12.3.1, iOS 15.4.1, and iPadOS 15.4.1 to remediate two potentially actively-exploited vulnerabilities. CVE-2022-22675 is a vulnerability that impacts the Apple audio and video decoding framework in all three operating systems and may have been actively exploited. The vulnerability may allow a threat actor to execute arbitrary code with kernel privileges.

CVE-2022-22674 is an out-of-bounds read vulnerability in the Intel Graphics driver that may allow an application to read kernel memory. This affects only the macOS and may have also been exploited in the wild.

For further detail about these critical vulnerabilities, please see our blog “Patch Now: Apple Announces Two Zero-Day Vulnerabilities for macOS & iOS.

Automox recommends applying these latest updates within 72 hours. 

Additional Apple updates include Safari 15.4 for macOS Big Sur and macOS Catalina, watchOS 8.5.1, tvOS 15.4.1, and GarageBand 10.4.6, among others. 

While the list of potential implications may impact a broad spectrum of capabilities, Apple does not typically discuss or confirm security issues until an investigation has occurred. As a result, Automox recommends prioritizing the update of all Apple mobile devices to the latest OS. – Eric Feldman

Google

On March 28, Google released a security update for a new and actively-exploited vulnerability in the Chrome V8 Javascript engine with CVE-2022-1096. Researchers have been credited with identifying the type of confusion vulnerability that, according to MITRE, “can lead to out-of-bounds memory access” in languages without memory protection. These include languages like C and C++. Google stated in the security update that they’re aware of exploits in the wild. This is a zero-day vulnerability, remediated with version 99.0.4844.84. Note that the stable channel update has since been updated to 100.0.4896.88 for Windows, Mac, and Linux. Due to the popularity of Google Chrome, Automox recommends prioritizing this update. – Eric Feldman

Adobe

Adobe’s Patch Tuesday saw updates for Acrobat and Reader, Commerce, After Effects, and Photoshop and fixed a total of 78 vulnerabilities across the four products, with 51 of the vulnerabilities allowing malicious code execution when exploited successfully.

Without a doubt, Adobe’s updates are led by a massive update for Acrobat and Reader DC 2020 and 2017 on macOS and Windows. The update fixes 62 vulnerabilities, including 35 critical (CVSS 7.8/10) arbitrary code execution vulnerabilities. 

If your organization uses Acrobat or Reader DC 2020 or 2017, we recommend updating within one to two weeks, as Adobe notes that these products are historically at an elevated risk of attack. The table below details affected versions for each product and operating system and the newly available, updated version. Review Adobe’s release notes within the Adobe Acrobat and Reader Security Bulletin for more information. – Peter Pflaster

Adobe fixed a single, critical (CVSSv3.1 9.1/10) input validation vulnerability in Commerce ( 2.4.3-p1 and earlier versions and 2.3.7-p2 and earlier versions) and Magento Open source (2.4.3-p1 and earlier versions  and 2.3.7-p2 and earlier versions) that may allow arbitrary code execution if exploited. If you’re using Commerce or Magento Open Source, update to Commerce version 2.3.7-p3, 2.4.3-p2, or 2.4.4 as soon as possible. If you’re using Magento, update to 2.3.7-p3, 2.4.3-p2, or 2.4.4.

Updates to After Effects for macOS and Windows fixed two critical (CVSSv3.1 7.8/10) vulnerabilities that allow arbitrary code execution on affected versions. Adobe notes that After Effects has historically not been a popular target for attack. However, we recommend updating to version 22.3 or 18.4.6 after you have applied more urgent Patch Tuesday updates on other software.

Finally, Adobe updated Photoshop 2021 (to version 22.5.7) and 2022 (to version 23.3) for Windows and macOS to remediate 13 critical vulnerabilities, all of which allow for arbitrary code execution on affected versions. Adobe notes that Photoshop has historically not been a popular target for attack. However, we recommend updating to the newest applicable version after you have applied more urgent Patch Tuesday updates on other software.


Don't miss a single vulnerability this Patch Tuesday. A detailed look at the latest patches and updates from Microsoft and multiple third-party applications can be found in April's Patch Tuesday Index below.

Last Updated 9:40 AM ET - April 11, 2022.

firefox Mozilla Firefox
Product

Title

Identifier

Severity

Firefox 11 security vulnerabilities fixed in Firefox 99 MFSA 2022-13 High
Firefox ESR 8 security vulnerabilities fixed in Firefox ESR 91.8 MFSA 2022-14 High
Thunderbird 9 security vulnerabilities fixed in Thunderbird 91.8 MFSA 2022-15 High
adobe Adobe
Product

Title

Identifier

Severity

Adobe Acrobat and Reader 62 security vulnerabilities fixed in Adobe Acrobat and Reader APSB22-16 Adobe Priority 2
Adobe Commerce 1 security vulnerability fixed in Adobe Commerce APSB22-13 Adobe Priority 3
Adobe After Effects 2 security vulnerabilities fixed in Adobe After Effects APSB22-19 Adobe Priority 3
Adobe Photoshop 13 security vulnerabilities fixed in Adobe Photoshop APSB22-20 Adobe Priority 3
microsoft Microsoft
Product

Title

Identifier

Severity

Role: Windows Hyper-V Windows Hyper-V Remote Code Execution Vulnerability CVE-2022-22008 Critical
Role: Windows Hyper-V Windows Hyper-V Remote Code Execution Vulnerability CVE-2022-23257 Critical
Microsoft Dynamics Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability CVE-2022-23259 Critical
Windows Network File System Windows Network File System Remote Code Execution Vulnerability CVE-2022-24491 Critical
Windows Network File System Windows Network File System Remote Code Execution Vulnerability CVE-2022-24497 Critical
Windows SMB Windows SMB Remote Code Execution Vulnerability CVE-2022-24500 Critical
Role: Windows Hyper-V Windows Hyper-V Remote Code Execution Vulnerability CVE-2022-24537 Critical
Windows SMB Windows Server Service Remote Code Execution Vulnerability CVE-2022-24541 Critical
Windows Remote Procedure Call Runtime RPC Runtime Library Remote Code Execution Vulnerability CVE-2022-26809 Critical
LDAP - Lightweight Directory Access Protocol Windows LDAP Remote Code Execution Vulnerability CVE-2022-26919 Critical
Windows SMB Win32 Stream Enumeration Remote Code Execution Vulnerability CVE-2022-21983 High
Role: Windows Hyper-V Windows Hyper-V Remote Code Execution Vulnerability CVE-2022-22009 High
Role: Windows Hyper-V Windows Hyper-V Denial of Service Vulnerability CVE-2022-23268 High
Power BI Microsoft Power BI Spoofing Vulnerability CVE-2022-23292 High
Microsoft Office SharePoint Microsoft SharePoint Server Spoofing Vulnerability CVE-2022-24472 High
Microsoft Office Excel Microsoft Excel Remote Code Execution Vulnerability CVE-2022-24473 High
Windows Win32K Windows Win32k Elevation of Privilege Vulnerability CVE-2022-24474 High
Microsoft Edge (Chromium-based) Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability CVE-2022-24475 High
Windows Feedback Hub Connected User Experiences and Telemetry Elevation of Privilege Vulnerability CVE-2022-24479 High
Windows Common Log File System Driver Windows Common Log File System Driver Elevation of Privilege Vulnerability CVE-2022-24481 High
Microsoft Windows ALPC Windows ALPC Elevation of Privilege Vulnerability CVE-2022-24482 High
Windows Kernel Windows Kernel Information Disclosure Vulnerability CVE-2022-24483 High
Windows Cluster Shared Volume (CSV) Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability CVE-2022-24484 High
Windows SMB Win32 File Enumeration Remote Code Execution Vulnerability CVE-2022-24485 High
Windows Kerberos Windows Kerberos Elevation of Privilege Vulnerability CVE-2022-24486 High
Windows Local Security Authority Subsystem Service Windows Local Security Authority (LSA) Remote Code Execution Vulnerability CVE-2022-24487 High
Windows App Store Windows Desktop Bridge Elevation of Privilege Vulnerability CVE-2022-24488 High
Windows Cluster Shared Volume (CSV) Cluster Client Failover (CCF) Elevation of Privilege Vulnerability CVE-2022-24489 High
Role: Windows Hyper-V Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability CVE-2022-24490 High
Windows Remote Procedure Call Runtime Remote Procedure Call Runtime Remote Code Execution Vulnerability CVE-2022-24492 High
Microsoft Local Security Authority Server (lsasrv) Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability CVE-2022-24493 High
Windows Ancillary Function Driver for WinSock Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability CVE-2022-24494 High
Microsoft Windows Media Foundation Windows Direct Show - Remote Code Execution Vulnerability CVE-2022-24495 High
Windows Local Security Authority Subsystem Service Local Security Authority (LSA) Elevation of Privilege Vulnerability CVE-2022-24496 High
Windows iSCSI Target Service Windows iSCSI Target Service Information Disclosure Vulnerability CVE-2022-24498 High
Windows Installer Windows Installer Elevation of Privilege Vulnerability CVE-2022-24499 High
Visual Studio Visual Studio Elevation of Privilege Vulnerability CVE-2022-24513 High
Windows Common Log File System Driver Windows Common Log File System Driver Elevation of Privilege Vulnerability CVE-2022-24521 High
Windows Endpoint Configuration Manager Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability CVE-2022-24527 High
Windows Remote Procedure Call Runtime Remote Procedure Call Runtime Remote Code Execution Vulnerability CVE-2022-24528 High
Windows Installer Windows Installer Elevation of Privilege Vulnerability CVE-2022-24530 High
Microsoft Windows Codecs Library HEVC Video Extensions Remote Code Execution Vulnerability CVE-2022-24532 High
Windows RDP Remote Desktop Protocol Remote Code Execution Vulnerability CVE-2022-24533 High
Windows SMB Win32 Stream Enumeration Remote Code Execution Vulnerability CVE-2022-24534 High
Role: DNS Server Windows DNS Server Remote Code Execution Vulnerability CVE-2022-24536 High
Windows Cluster Shared Volume (CSV) Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability CVE-2022-24538 High
Role: Windows Hyper-V Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability CVE-2022-24539 High
Microsoft Windows ALPC Windows ALPC Elevation of Privilege Vulnerability CVE-2022-24540 High
Windows Win32K Windows Win32k Elevation of Privilege Vulnerability CVE-2022-24542 High
Windows Upgrade Assistant Windows Upgrade Assistant Remote Code Execution Vulnerability CVE-2022-24543 High
Windows Kerberos Windows Kerberos Elevation of Privilege Vulnerability CVE-2022-24544 High
Windows Kerberos Windows Kerberos Remote Code Execution Vulnerability CVE-2022-24545 High
Windows DWM Core Library Windows DWM Core Library Elevation of Privilege Vulnerability CVE-2022-24546 High
Windows Media Windows Digital Media Receiver Elevation of Privilege Vulnerability CVE-2022-24547 High
Windows Defender Microsoft Defender Denial of Service Vulnerability CVE-2022-24548 High
Windows AppX Package Manager Windows AppX Package Manager Elevation of Privilege Vulnerability CVE-2022-24549 High
Windows Telephony Server Windows Telephony Server Elevation of Privilege Vulnerability CVE-2022-24550 High
Visual Studio GitHub: Uncontrolled search for the Git directory in Git for Windows CVE-2022-24765 High
Visual Studio GitHub: Git for Windows' uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account CVE-2022-24767 High
Role: Windows Hyper-V Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability CVE-2022-26783 High
Windows Cluster Shared Volume (CSV) Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability CVE-2022-26784 High
Role: Windows Hyper-V Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability CVE-2022-26785 High
Windows Print Spooler Components Windows Print Spooler Elevation of Privilege Vulnerability CVE-2022-26786 High
Windows Print Spooler Components Windows Print Spooler Elevation of Privilege Vulnerability CVE-2022-26787 High
Windows PowerShell PowerShell Elevation of Privilege Vulnerability CVE-2022-26788 High
Windows Print Spooler Components Windows Print Spooler Elevation of Privilege Vulnerability CVE-2022-26789 High
Windows Print Spooler Components Windows Print Spooler Elevation of Privilege Vulnerability CVE-2022-26790 High
Windows Print Spooler Components Windows Print Spooler Elevation of Privilege Vulnerability CVE-2022-26791 High
Windows Print Spooler Components Windows Print Spooler Elevation of Privilege Vulnerability CVE-2022-26792 High
Windows Print Spooler Components Windows Print Spooler Elevation of Privilege Vulnerability CVE-2022-26793 High
Windows Print Spooler Components Windows Print Spooler Elevation of Privilege Vulnerability CVE-2022-26794 High
Windows Print Spooler Components Windows Print Spooler Elevation of Privilege Vulnerability CVE-2022-26795 High
Windows Print Spooler Components Windows Print Spooler Elevation of Privilege Vulnerability