April 2022 Patch Tuesday Overview
There's an old proverb: March comes in like a lion and goes out like a lamb. And if you’re a fan of classic Saturday Night Live, you may remember that in other countries, March comes in like a wildebeest and goes out like an ant.
But when it comes to Patch Tuesday for April, the proverb needs some slight adjustment.
Microsoft Critical Vulnerability Breakdown
Contrary to the lightness of March, April Patch Tuesday has roared in like a lion to deliver us 129 total Microsoft vulnerabilities, an amount not seen since September of 2020. That’s far more than in any month in 2021 or so far in 2022. And the number of vulnerabilities is 72 percent higher than the 12-month rolling average of 75.
Also, SecOps and ITOps teams will have their hands full this month with ten critical vulnerabilities, almost double the 12-month average of 5.75 and the highest so far in 2022.
The big news is several critical vulnerabilities need to be highlighted for immediate action. Microsoft Hyper-V is their hypervisor that lets you create and run virtual machines. Microsoft reported a whopping nine vulnerabilities for Hyper-V – three of them critical, all of which are remote code execution vulnerabilities.
Next, pay attention to critical vulnerabilities that impact Windows Network File System. This is a component found in the different versions of Windows Server that enables the transfer of files between computers running Windows and other non-Windows operating systems, such as Linux. The two critical remote code execution vulnerabilities are particularly nasty and carry CVSS (Common Vulnerability Scoring System) scores of 9.8/10.
Ten Microsoft applications and components are responsible for more than 55% of the reported vulnerabilities for April. Topping the list is the Windows DNS Server, with over 12% of the vulnerabilities. Next are vulnerabilities impacting Windows Print Spooler components. Automox recommends that you focus remediation efforts on the critical vulnerabilities outlined.
All ten of April’s critical vulnerabilities are Remote Code Execution – these allow an attacker to remotely execute malicious code on a computer. But when we look at the total 129 vulnerabilities, only 37 percent are this type. The majority of 43 percent for April is actually made up of Elevation of Privilege vulnerabilities. These allow an attacker to change their access rights from "read-only" to "read and write,” for example.
Finally, as we remind you every month, Automox recommends that all critical and exploited vulnerabilities be patched within a 72-hour window, particularly those impacting Microsoft Hyper-V and Windows Network File System.
CVE-2022-26919 - Windows LDAP Remote Code Execution Vulnerability - Critical
CVE-2022-26919 is a vulnerability that could allow an authenticated user to execute arbitrary code on a Windows LDAP server remotely. It has a CVSS of 8.1 and a severity rating of Critical. Affected software includes Windows 7, 8.1, 10, and 11, Windows Server 2008, 2012, 2016, 2019, 2022, and 20H2. Though this vulnerability can allow a malicious actor to execute code remotely, it has not been exploited. To be exploitable, an administrator must increase the MaxReceiveBuffer LDAP setting from the default. – Jessica Starkey
CVE-2022-23259 - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability - Critical
CVE-2022-23259 is a critical remote code execution vulnerability identified in Microsoft Dynamics 365. Microsoft Dynamics 365 is a resource planning and customer relationship management (CRM) tool from Microsoft, and this vulnerability is present in the 9.0 and 9.1 versions of their on-premise option. Remote code execution vulnerabilities are particularly sensitive given that they enable attackers to run malicious code on the exploited systems directly. Therefore, it’s highly recommended IT administrators remediate this vulnerability within 72 hours to minimize exposure to threat actors, especially in a tool with access to sensitive customer and business data like a CRM solution. This vulnerability is similar in nature to CVE-2021-42316 back in November 2021. – Jay Goodman
CVE-2022-23257 - Windows Hyper-V Remote Code Execution Vulnerability - Critical
CVE-2022-24537 - Windows Hyper-V Remote Code Execution Vulnerability - Critical
CVE-2022-22008 - Windows Hyper-V Remote Code Execution Vulnerability - Critical
CVE-2022-23257, CVE-2022-24537, and CVE-2022-22008 are a trio of Remote Code Execution Vulnerabilities, all found in Windows Hyper-V, the native Microsoft hypervisor. According to their CVSS scores, all three have an attacker vector of local and user interaction required. That means an attacker would likely have to trick a user into clicking on a malicious email link or attachment leading them to a malicious website hosted by the attacker or compromised website. While CVE-2022-23257 and CVE-2022-24537 are very similar, the attacker would have to entice a user to execute a specially crafted application or script; CVE-2022-22008 requires an attacker to win a race condition. Successful exploitation of this vulnerability would allow a Hyper-V guest to affect the functionality of the Hyper-V host. While successful exploitation of these vulnerabilities is less likely, and we have not seen these vulnerabilities exploited in the wild, I highly recommend patching these as soon as possible if you are utilizing Hyper-V in your environment today. – Chris Hass
CVE-2022-24491 - Windows Network File System Remote Code Execution Vulnerability - Critical
CVE-2022-24497 - Windows Network File System Remote Code Execution Vulnerability - Critical
CVE-2022-24497 and CVE-2002-24491 are essentially one vulnerability. Both are critical remote code execution vulnerabilities with a huge CVSS score of 9.8 that impact the same Windows Network File System and are identical across every base score metric. The only difference between the two CVEs is the security researchers that identified them. These vulnerabilities are exploitable by Windows Servers with NFS (Network File System) role enabled and requires attackers to send a specially crafted protocol network message to a vulnerable Windows machine. Given the low attack complexity, high CVSS score, and that no user interaction or privileges are required, this CVE is more likely to be exploited. Automox recommends patching this vulnerability within 24 hours. Another route for remediation is uninstalling the NFS role from your impacted Windows Servers. – Aleks Haugom
CVE-2022-26809 - RPC Runtime Library Remote Code Execution Vulnerability - Critical
CVE-2022-26809 is an Elevation of Privilege Vulnerability with a 9.8 criticality rating that impacts the Microsoft RPC runtime library. It affects Windows 7, 8.1, and 10, and Windows Server 2008, 2016, 2019, 2022, and 20H2. Although Elevation of Privilege vulnerabilities can allow attackers to gain admin access privileges and take all ilk of malicious actions, the good news is this CVE has not been exploited and can be mitigated by blocking port 445 at the enterprise perimeter firewall. However, as the Microsoft RPC runtime library manages most of the processes relating to network protocols and communication, and due to the high CVSS score, Automox recommends remediating this vulnerability immediately. – Shari Barnett
CVE-2022-24541 - Windows Server Service Remote Code Execution Vulnerability - Critical
CVE-2021-24541 is a critical remote code execution vulnerability for SMB traffic with low attack complexity. This impacts the server service of multiple versions of Windows 7, 8.1, 10, 11, and Windows Server 2008, 2012, 2016, 2019, and 2022. Server Service is a component of the Microsoft Windows operating systems that allows a server to share files and print resources with clients over a network. This vulnerability requires that a user with an affected version of Windows access a malicious server, often when an attacker hosts a specially crafted server share or website and then convinces the user to visit, typically through an email or chat message.
Several mitigation factors are suggested, based on your circumstances. First, block TCP port 445 at the enterprise perimeter firewall. TCP port 445 is used to initiate a connection with the affected component, and blocking this port will help protect systems behind that firewall from exploit attempts. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter. The second recommendation is to follow Microsoft guidelines to prevent SMB traffic from lateral connections and entering or leaving the network. – Gina Geisel
CVE-2022-24500 - Windows SMB Remote Code Execution Vulnerability - Critical
This Patch Tuesday, Microsoft released six security updates for Windows SMB, all for remote code execution vulnerabilities. Server Message Block (SMB) is a communication protocol that Microsoft created for providing shared access to files and printers across nodes on a network. Of the 6 CVEs, only one has been labeled as critical. To exploit CVE-2022-24500, user interaction is required; an attacker needs to direct a user to an SMB server so a malicious payload can be transferred as part of an OS API call. Directing a user can be achieved through social engineering or other methods. However, even the most well-trained users can fall prey to social engineering, so remediation is paramount. If, for whatever reason, this security update can’t be installed yet, blocking port 445 on the perimeter firewall can mitigate the risk of exploitation. However, this is not viable for remote systems, and at the same time, systems will still be vulnerable to attacks from within the enterprise perimeter. – Maarten Buis
CVE-2022-24530 - Windows Installer Elevation of Privilege Vulnerability - High and Publicly Disclosed
Microsoft released a fix for an elevation of privilege vulnerability in Windows Installer, the ubiquitous Windows tool for installing, maintaining, and removing software. Microsoft has publicly disclosed the vulnerability, though it reportedly has not been exploited in the wild. The vulnerability scores a 7.8 out of 10, as an attacker could leverage end user credentials and a simple attack locally to gain administrative privileges on the device.
Microsoft patched a similar elevation of privilege vulnerability, CVE-2021-43883, in Windows Installer in December of 2021. The vulnerability disclosed by Microsoft this month, CVE-2022-24530, affects all versions of Windows 7, 8, 10, and 11 plus Windows Server and Server Core 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2, and 2022.
– Peter Pflaster
CVE-2022-26904 - Windows User Profile Service Elevation of Privilege Vulnerability - High and Publicly Disclosed
This month, Microsoft disclosed CVE-2022-26904 which impacts the Windows User Profile Service. This component stores information about users in a central location. This vulnerability could give a local (non-network) vector to an attacker, who could then elevate their user privileges. If an attacker were able to elevate the privileges on a user profile, this could give them lots of unwanted access to a Windows computer or, worse, a server. This high-complexity vulnerability requires no user interaction, but it’s still just a POC and has yet to be exploited in the wild. The user profile service affected is part of Windows and Windows Server. The high complexity rating is due to the fact that successful exploitation of this vulnerability requires an attacker to win a race condition, in other words, disrupting a process execution sequence. Because CVE-2022-21919 has been given a vulnerability score of “high,” it’s recommended that Windows and WinServer users update with the official Microsoft fix as soon as possible.
– Chad McNaughton
On March 14 and 31, Apple released several updates that address security issues and provide additional functionality.
Apple released macOS Monterey 12.3.1, iOS 15.4.1, and iPadOS 15.4.1 to remediate two potentially actively-exploited vulnerabilities. CVE-2022-22675 is a vulnerability that impacts the Apple audio and video decoding framework in all three operating systems and may have been actively exploited. The vulnerability may allow a threat actor to execute arbitrary code with kernel privileges.
CVE-2022-22674 is an out-of-bounds read vulnerability in the Intel Graphics driver that may allow an application to read kernel memory. This affects only the macOS and may have also been exploited in the wild.
For further detail about these critical vulnerabilities, please see our blog “Patch Now: Apple Announces Two Zero-Day Vulnerabilities for macOS & iOS.”
Automox recommends applying these latest updates within 72 hours.
Additional Apple updates include Safari 15.4 for macOS Big Sur and macOS Catalina, watchOS 8.5.1, tvOS 15.4.1, and GarageBand 10.4.6, among others.
While the list of potential implications may impact a broad spectrum of capabilities, Apple does not typically discuss or confirm security issues until an investigation has occurred. As a result, Automox recommends prioritizing the update of all Apple mobile devices to the latest OS. – Eric Feldman
Adobe’s Patch Tuesday saw updates for Acrobat and Reader, Commerce, After Effects, and Photoshop and fixed a total of 78 vulnerabilities across the four products, with 51 of the vulnerabilities allowing malicious code execution when exploited successfully.
Without a doubt, Adobe’s updates are led by a massive update for Acrobat and Reader DC 2020 and 2017 on macOS and Windows. The update fixes 62 vulnerabilities, including 35 critical (CVSS 7.8/10) arbitrary code execution vulnerabilities.
If your organization uses Acrobat or Reader DC 2020 or 2017, we recommend updating within one to two weeks, as Adobe notes that these products are historically at an elevated risk of attack. The table below details affected versions for each product and operating system and the newly available, updated version. Review Adobe’s release notes within the Adobe Acrobat and Reader Security Bulletin for more information. – Peter Pflaster
Adobe fixed a single, critical (CVSSv3.1 9.1/10) input validation vulnerability in Commerce ( 2.4.3-p1 and earlier versions and 2.3.7-p2 and earlier versions) and Magento Open source (2.4.3-p1 and earlier versions and 2.3.7-p2 and earlier versions) that may allow arbitrary code execution if exploited. If you’re using Commerce or Magento Open Source, update to Commerce version 2.3.7-p3, 2.4.3-p2, or 2.4.4 as soon as possible. If you’re using Magento, update to 2.3.7-p3, 2.4.3-p2, or 2.4.4.
Updates to After Effects for macOS and Windows fixed two critical (CVSSv3.1 7.8/10) vulnerabilities that allow arbitrary code execution on affected versions. Adobe notes that After Effects has historically not been a popular target for attack. However, we recommend updating to version 22.3 or 18.4.6 after you have applied more urgent Patch Tuesday updates on other software.
Finally, Adobe updated Photoshop 2021 (to version 22.5.7) and 2022 (to version 23.3) for Windows and macOS to remediate 13 critical vulnerabilities, all of which allow for arbitrary code execution on affected versions. Adobe notes that Photoshop has historically not been a popular target for attack. However, we recommend updating to the newest applicable version after you have applied more urgent Patch Tuesday updates on other software.
Don't miss a single vulnerability this Patch Tuesday. A detailed look at the latest patches and updates from Microsoft and multiple third-party applications can be found in April's Patch Tuesday Index below.
Last Updated 9:40 AM ET - April 11, 2022.
|Firefox||11 security vulnerabilities fixed in Firefox 99||MFSA 2022-13||High|
|Firefox ESR||8 security vulnerabilities fixed in Firefox ESR 91.8||MFSA 2022-14||High|
|Thunderbird||9 security vulnerabilities fixed in Thunderbird 91.8||MFSA 2022-15||High|
|Adobe Acrobat and Reader||62 security vulnerabilities fixed in Adobe Acrobat and Reader||APSB22-16||Adobe Priority 2|
|Adobe Commerce||1 security vulnerability fixed in Adobe Commerce||APSB22-13||Adobe Priority 3|
|Adobe After Effects||2 security vulnerabilities fixed in Adobe After Effects||APSB22-19||Adobe Priority 3|
|Adobe Photoshop||13 security vulnerabilities fixed in Adobe Photoshop||APSB22-20||Adobe Priority 3|
|Role: Windows Hyper-V||Windows Hyper-V Remote Code Execution Vulnerability||CVE-2022-22008||Critical|
|Role: Windows Hyper-V||Windows Hyper-V Remote Code Execution Vulnerability||CVE-2022-23257||Critical|
|Microsoft Dynamics||Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability||CVE-2022-23259||Critical|
|Windows Network File System||Windows Network File System Remote Code Execution Vulnerability||CVE-2022-24491||Critical|
|Windows Network File System||Windows Network File System Remote Code Execution Vulnerability||CVE-2022-24497||Critical|
|Windows SMB||Windows SMB Remote Code Execution Vulnerability||CVE-2022-24500||Critical|
|Role: Windows Hyper-V||Windows Hyper-V Remote Code Execution Vulnerability||CVE-2022-24537||Critical|
|Windows SMB||Windows Server Service Remote Code Execution Vulnerability||CVE-2022-24541||Critical|
|Windows Remote Procedure Call Runtime||RPC Runtime Library Remote Code Execution Vulnerability||CVE-2022-26809||Critical|
|LDAP - Lightweight Directory Access Protocol||Windows LDAP Remote Code Execution Vulnerability||CVE-2022-26919||Critical|
|Windows SMB||Win32 Stream Enumeration Remote Code Execution Vulnerability||CVE-2022-21983||High|
|Role: Windows Hyper-V||Windows Hyper-V Remote Code Execution Vulnerability||CVE-2022-22009||High|
|Role: Windows Hyper-V||Windows Hyper-V Denial of Service Vulnerability||CVE-2022-23268||High|
|Power BI||Microsoft Power BI Spoofing Vulnerability||CVE-2022-23292||High|
|Microsoft Office SharePoint||Microsoft SharePoint Server Spoofing Vulnerability||CVE-2022-24472||High|
|Microsoft Office Excel||Microsoft Excel Remote Code Execution Vulnerability||CVE-2022-24473||High|
|Windows Win32K||Windows Win32k Elevation of Privilege Vulnerability||CVE-2022-24474||High|
|Microsoft Edge (Chromium-based)||Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability||CVE-2022-24475||High|
|Windows Feedback Hub||Connected User Experiences and Telemetry Elevation of Privilege Vulnerability||CVE-2022-24479||High|
|Windows Common Log File System Driver||Windows Common Log File System Driver Elevation of Privilege Vulnerability||CVE-2022-24481||High|
|Microsoft Windows ALPC||Windows ALPC Elevation of Privilege Vulnerability||CVE-2022-24482||High|
|Windows Kernel||Windows Kernel Information Disclosure Vulnerability||CVE-2022-24483||High|
|Windows Cluster Shared Volume (CSV)||Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability||CVE-2022-24484||High|
|Windows SMB||Win32 File Enumeration Remote Code Execution Vulnerability||CVE-2022-24485||High|
|Windows Kerberos||Windows Kerberos Elevation of Privilege Vulnerability||CVE-2022-24486||High|
|Windows Local Security Authority Subsystem Service||Windows Local Security Authority (LSA) Remote Code Execution Vulnerability||CVE-2022-24487||High|
|Windows App Store||Windows Desktop Bridge Elevation of Privilege Vulnerability||CVE-2022-24488||High|
|Windows Cluster Shared Volume (CSV)||Cluster Client Failover (CCF) Elevation of Privilege Vulnerability||CVE-2022-24489||High|
|Role: Windows Hyper-V||Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability||CVE-2022-24490||High|
|Windows Remote Procedure Call Runtime||Remote Procedure Call Runtime Remote Code Execution Vulnerability||CVE-2022-24492||High|
|Microsoft Local Security Authority Server (lsasrv)||Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability||CVE-2022-24493||High|
|Windows Ancillary Function Driver for WinSock||Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability||CVE-2022-24494||High|
|Microsoft Windows Media Foundation||Windows Direct Show - Remote Code Execution Vulnerability||CVE-2022-24495||High|
|Windows Local Security Authority Subsystem Service||Local Security Authority (LSA) Elevation of Privilege Vulnerability||CVE-2022-24496||High|
|Windows iSCSI Target Service||Windows iSCSI Target Service Information Disclosure Vulnerability||CVE-2022-24498||High|
|Windows Installer||Windows Installer Elevation of Privilege Vulnerability||CVE-2022-24499||High|
|Visual Studio||Visual Studio Elevation of Privilege Vulnerability||CVE-2022-24513||High|
|Windows Common Log File System Driver||Windows Common Log File System Driver Elevation of Privilege Vulnerability||CVE-2022-24521||High|
|Windows Endpoint Configuration Manager||Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability||CVE-2022-24527||High|
|Windows Remote Procedure Call Runtime||Remote Procedure Call Runtime Remote Code Execution Vulnerability||CVE-2022-24528||High|
|Windows Installer||Windows Installer Elevation of Privilege Vulnerability||CVE-2022-24530||High|
|Microsoft Windows Codecs Library||HEVC Video Extensions Remote Code Execution Vulnerability||CVE-2022-24532||High|
|Windows RDP||Remote Desktop Protocol Remote Code Execution Vulnerability||CVE-2022-24533||High|
|Windows SMB||Win32 Stream Enumeration Remote Code Execution Vulnerability||CVE-2022-24534||High|
|Role: DNS Server||Windows DNS Server Remote Code Execution Vulnerability||CVE-2022-24536||High|
|Windows Cluster Shared Volume (CSV)||Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability||CVE-2022-24538||High|
|Role: Windows Hyper-V||Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability||CVE-2022-24539||High|
|Microsoft Windows ALPC||Windows ALPC Elevation of Privilege Vulnerability||CVE-2022-24540||High|
|Windows Win32K||Windows Win32k Elevation of Privilege Vulnerability||CVE-2022-24542||High|
|Windows Upgrade Assistant||Windows Upgrade Assistant Remote Code Execution Vulnerability||CVE-2022-24543||High|
|Windows Kerberos||Windows Kerberos Elevation of Privilege Vulnerability||CVE-2022-24544||High|
|Windows Kerberos||Windows Kerberos Remote Code Execution Vulnerability||CVE-2022-24545||High|
|Windows DWM Core Library||Windows DWM Core Library Elevation of Privilege Vulnerability||CVE-2022-24546||High|
|Windows Media||Windows Digital Media Receiver Elevation of Privilege Vulnerability||CVE-2022-24547||High|
|Windows Defender||Microsoft Defender Denial of Service Vulnerability||CVE-2022-24548||High|
|Windows AppX Package Manager||Windows AppX Package Manager Elevation of Privilege Vulnerability||CVE-2022-24549||High|
|Windows Telephony Server||Windows Telephony Server Elevation of Privilege Vulnerability|