Patch Tuesday - May 2022

It’s Patch Tuesday again! Patch Tuesday is the second Tuesday of each month when Microsoft and other vendors release security patches. This month, Microsoft released patches for 75 vulnerabilities. Of these 74, 7 are critical (2 elevation of privilege and 5 remote code execution), 66 are important, and 1 is rated as low. There is one zero-day vulnerability (CVE-2022-26925) that has been publicly disclosed and exploited in the wild. Two other vulnerabilities (CVE-2022-22713 and CVE-2022-29972) have been publicly disclosed but not yet observed exploited in the wild.

Microsoft gives CVE-2022-26925 a CVSS score of 8.1 and refers to it as a Windows LSA Spoofing Vulnerability. An attacker can exploit this vulnerability by calling a specific method on the LSARPC interface via an Anonymous NTLM connection. This vulnerability could be used with an NTLM relay attack, such as Petit Potam, to gain full Domain Administrator privileges. This is a man-in-the-middle (MiTM) attack, and an attacker would have to your network so they could inject into the actual network path between the two systems in question. Though Microsoft scores CVE-2022-26925 with a CVSS score of 8.1, they mention that when chained together with Petit Potam it would have a score of 9.8. After installing the new patch, they also recommend following the steps in KB5005413 to enable EPA and disable HTTP on AD CS servers. It’s also not a bad idea to disable NTLM Authentication wherever possible.

There were 5 critical remote code execution (RCE) vulnerabilities patched this month. These include CVE-2022-21972 and CVE-2022-23270 (two similar RCEs in the Point-to-Point Tunneling Protocol which require the attacker to send a maliciously crafted connection request to an RAS server), CVE-2022-22017 (an RCE in the Remote Desktop Client which requires the attacker to convince a target user to connect to a malicious RDP server), CVE-2022-26937 (an RCE in the Windows Network File System which can be exploited by making a maliciously crafted, unauthenticated call to an NFS service), and CVE-2022-29972 (and RCE in the Magnitude Simba Amazon Redshift ODBC driver).

There were two critical privilege escalation vulnerabilities disclosed this month. The first, CVE-2022-26923, is a vulnerability in Active Directory. An authenticated account could exploit this vulnerability and manipulate attributes of a machine account they own or manage and then acquire a certificate from the Active Directory Certificate Services (AD CS) with permissions to access the domain controller as its own machine account. The second critical privilege escalation vulnerability is CVE-2022-26931, a Windows Kerberos privilege escalation that requires an attacker to already have some access to prepare the target environment.

For a full break down of all the patches released this month, we recommend you check out the Patch Tuesday Dashboard by Morphus Labs. Also refer to the table below for all the relevant Microsoft KB articles.

The CRU has been reviewing the data from today’s Patch Tuesday and obtained a few PoCs for some. We will release any new detection content based on these vulnerabilities that we develop as they become available.