Patch Tuesday - May 2022

May 10, 2022 by Bryson Medlock

It’s Patch Tuesday again! Patch Tuesday is the second Tuesday of each month when Microsoft and other vendors release security patches. This month, Microsoft released patches for 75 vulnerabilities. Of these 74, 7 are critical (2 elevation of privilege and 5 remote code execution), 66 are important, and 1 is rated as low. There is one zero-day vulnerability (CVE-2022-26925) that has been publicly disclosed and exploited in the wild. Two other vulnerabilities (CVE-2022-22713 and CVE-2022-29972) have been publicly disclosed but not yet observed exploited in the wild.

Microsoft gives CVE-2022-26925 a CVSS score of 8.1 and refers to it as a Windows LSA Spoofing Vulnerability. An attacker can exploit this vulnerability by calling a specific method on the LSARPC interface via an Anonymous NTLM connection. This vulnerability could be used with an NTLM relay attack, such as Petit Potam, to gain full Domain Administrator privileges. This is a man-in-the-middle (MiTM) attack, and an attacker would have to your network so they could inject into the actual network path between the two systems in question. Though Microsoft scores CVE-2022-26925 with a CVSS score of 8.1, they mention that when chained together with Petit Potam it would have a score of 9.8. After installing the new patch, they also recommend following the steps in KB5005413 to enable EPA and disable HTTP on AD CS servers. It’s also not a bad idea to disable NTLM Authentication wherever possible.

There were 5 critical remote code execution (RCE) vulnerabilities patched this month. These include CVE-2022-21972 and CVE-2022-23270 (two similar RCEs in the Point-to-Point Tunneling Protocol which require the attacker to send a maliciously crafted connection request to an RAS server), CVE-2022-22017 (an RCE in the Remote Desktop Client which requires the attacker to convince a target user to connect to a malicious RDP server), CVE-2022-26937 (an RCE in the Windows Network File System which can be exploited by making a maliciously crafted, unauthenticated call to an NFS service), and CVE-2022-29972 (and RCE in the Magnitude Simba Amazon Redshift ODBC driver).

There were two critical privilege escalation vulnerabilities disclosed this month. The first, CVE-2022-26923, is a vulnerability in Active Directory. An authenticated account could exploit this vulnerability and manipulate attributes of a machine account they own or manage and then acquire a certificate from the Active Directory Certificate Services (AD CS) with permissions to access the domain controller as its own machine account. The second critical privilege escalation vulnerability is CVE-2022-26931, a Windows Kerberos privilege escalation that requires an attacker to already have some access to prepare the target environment.

For a full break down of all the patches released this month, we recommend you check out the Patch Tuesday Dashboard by Morphus Labs. Also refer to the table below for all the relevant Microsoft KB articles.

KB Article

Applies To

5013941

Windows 10, version 1809, Windows Server 2019

5013942

Windows 10, version 20H2, Windows Server, version 20H2, Windows 10, version 21H1, Windows 10, version 21H2

5013943

Windows 11

5013944

Windows Server 2022

5013952

Windows 10, version 1607, Windows Server 2016

5013999

Windows 7, Windows Server 2008 R2 (Security-only update)

5014001

Windows 8.1, Windows Server 2012 R2 (Security-only update)

5014006

Windows Server 2008 (Security-only update)

5014010

Windows Server 2008 (Monthly Rollup)

5014011

Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

5014012

Windows 7, Windows Server 2008 R2 (Monthly Rollup)

5014017

Windows Server 2012 (Monthly Rollup)

5014018

Windows Server 2012 (Security-only update)

The CRU has been reviewing the data from today’s Patch Tuesday and obtained a few PoCs for some. We will release any new detection content based on these vulnerabilities that we develop as they become available.