This month’s Patch Tuesday looks like a breeze at first glance, but don’t let the numbers fool you! There are some critically important vulnerabilities to get fixed up right away.
Unlike April, May’s Patch Tuesday lands with only 74 vulnerabilities. Although this isn’t a large number, this month makes up for it in criticality and broad infrastructure headaches. The big news are the critical vulnerabilities that need to be highlighted for immediate action. This month features vulnerabilities in NSF, Remote Desktop Client, and Active Directory. Windows NFS, or Network File System, features a CVSSv3.1 9.8 vulnerability. This vulnerability allows for remote code execution and is present in every Windows Server version from 2008 forward.
Next, keep an eye on the dark horse candidate for IT frustration: a vulnerability in Microsoft Exchange Server that requires not only a patch but a configuration change to fully remediate. This vulnerability scores an 8.2 in the CVSSv3.1 rating, but only garnered an “important” from Microsoft.
May broke the streak with one actively exploited vulnerability disclosed by Microsoft. The trend back down in the number of vulnerabilities is welcome, but the increase in criticality won’t go unnoticed. Given the complexity of remediation for vulnerabilities like the Exchange Server vulnerability, IT admins will still have a busy week trying to find a quiet moment to remediate the ever-burdened Exchange Server.
May’s vulnerability breakdown has the seven critical vulnerabilities spread across six different services and applications. Adding to the variety are the types of vulnerabilities. Of the seven critical, five are Remote Code Execution vulnerabilities and the remaining two are Elevation of Privilege vulnerabilities.
CVE-2022-22017 - Remote Desktop Client Remote Code Execution Vulnerability - Critical
CVE-2022-22017 is a critical vulnerability with a 7.3 CVSSv3.1 score, found in the Windows Remote Desktop Client (RDC). CVE-2022-22017 is present in the RDC for Windows 11 and Server 2022. RDC is a tool that allows users to directly access and manage a remote device through the client application. The vulnerability is a remote code execution or RCE vulnerability. RCE allows adversaries to run malicious code on a target system. An attacker successfully exploiting an RCE can take control of a target system, read or delete data, makes changes to the system, or directly run malicious code. Automox recommends patching this vulnerability within 72 hours to minimize exposure before adversaries weaponize it. - Jay Goodman
CVE-2022-26923 - Active Directory Domain Services Elevation of Privilege Vulnerability - Critical
A critical, CVSSv3.1 8.8/10, vulnerability in Active Directory Domain Services leaves systems vulnerable to elevation of privileges when exploited. An attacker with minimal privileges can exploit CVE-2022-26923 via a simple attack over the network with no other user interaction required and gain administrative privileges, though Microsoft notes that there are no known exploits in the wild.
The vulnerability lies within Active Directory Certificate Services - if you’re running this service on your domain, you are vulnerable to attack. Vulnerable systems include Windows Server 2012 R2 and up (include Core), Windows 8.1 and 8.1 RT, Windows 10 versions 1607, 1809, 1909, 20H2, 21H1, 21H2, and Windows 11. - Chris Hass
CVE-2022-26937 - Windows Network File System Remote Code Execution Vulnerability - Critical
Microsoft patched a critical CVSSv3.1 9.8/10 vulnerability in the Windows Network File System (NFS) that allows an attacker to remotely execute code on vulnerable versions. Windows NFS is a widely used file-sharing solution that leverages the NFS protocol to transfer files between Windows Server and Unix-based operating systems.
All Windows Server versions from 2008 upwards (including Core) are vulnerable. Although the CVE has yet to be exploited in the wild, and no exploit code is publicly available yet, we anticipate this vulnerability will be targeted by threat actors due to the ease of exploitation. An unprivileged attacker could make an unauthenticated call to the NFS service to trigger remote code execution (RCE) without user interaction. Due to the severity, prevalence of Windows NFS on Windows Server, and ease of exploitation, Automox recommends patching vulnerable systems within 72 hours. - Peter Pflaster
CVE-2022-21978 - Microsoft Exchange Server Elevation of Privilege Vulnerability - High
With a high priority and low attack complexity, CVE-2022-21978 impacts Microsoft Exchange Server 2013 (Update 23), 2016 (Updates 22 and 23), and 2019 (Updates 11 and 12). Successful exploitation requires the attacker to be authenticated to the Exchange Server as a member of a high-privileged group and could lead to a scope change (S:C) in which an attacker with elevated privileges on the Exchange server could gain the rights of a Domain Administrator. This could allow access and controls outside of the expected scope of the targeted functionality.
Automox recommends patching and updating to the most recent Microsoft release immediately. The security updates released for this CVE require that the Setup file be run using the Prepare Active Directory domains command. This can be done by running one of the following commands in a Windows Command Prompt window on the Exchange server after the update has been downloaded:
[drive letter]:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains
[drive letter]:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareDomain:[domain]
For more information, see Step 3 of Prepare Active Directory and domains for Exchange Server. In addition, seek out newly created accounts as attackers have been observed creating accounts as part of the attack chain. - Gina Geisel
CVE-2022-22713 - Windows Hyper-V Denial of Service Vulnerability - High - Publicly Disclosed
CVE-2022-22713 Windows Hyper-V Denial of Service Vulnerability has a severity rating of “Important” and affects Windows 10 x64-based systems for Version 20H2, 21H1, and 21H2, as well as Windows Server 20H2.
Although successful exploitation of this vulnerability requires an attacker to win a race condition, the net result, if exploited, is that the user would get a Denial of Service response. There are no workarounds for this CVE, but fortunately it has not yet been exploited, and Fixed Builds from Microsoft are available. - Shari Barnett
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.