This month’s Patch Tuesday release includes fixes for 117 CVEs – nine rated critical and two zero-days, one of which has already been exploited andwas reported by the National Security Agency.
Microsoft has fixed CVE-2022-24521, an elevation of privilege vulnerability in the Windows Common Log File System driver which received a CVSSv3 score of 7.8 and was exploited as zero-day. Although there is no further information on the exploitation of CVE-2022-24521, we do know that CrowdStrike and the NSA are involved in the discovery of this vulnerability.
Additionally, Microsoft has closed CVE-2022-26904, an elevation of privilege vulnerability in the User Profile Service. Although exploiting this vulnerability requires an attacker to time their attack perfectly in order to win a race condition, Microsoft has classified it as “Exploitation more likely”.
Also note that versions 4.5.2, 4.6 and 4.6.1 of Microsoft’s .NET Framework andVersion 20H2 will soon be reaching the end of support. Users are strongly advised to update their systems to ensure that they continue to receive updates.
Microsoft fixes 117 CVEs in its April 2022 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild and reported to Microsoft by the National Security Agency.
This month’s update includes fixes for:
Active Directory Domain Services
Azure site recovery
LDAP – Lightweight Directory Access Protocol
Microsoft Bluetooth Driver
Microsoft Edge (Chromium-based)
Microsoft Graphics Component
Microsoft Local Security Authority Server (lsasrv)
Microsoft Windows ALPC
Microsoft Windows Codec Library
Microsoft Windows Media Foundation
Role: DNS server
Role: Windows Hyper-V
Skype for Business
Visual Studio Code
Windows Companion Driver for WinSock
Windows app store
Windows AppX Package Manager
Windows Cluster Client Failover
Windows Cluster Shared Volume (CSV)
Windows Common Log File System Driver
Windows DWM Core Library
Windows Device Configuration Manager
Create a Windows Fax form
Windows Feedback Center
Windows File Explorer
Windows file server
Windows iSCSI Target Service
Windows Local Security Authority Subsystem Service
Windows Network File System
Windows Print Spooler Components
Windows Remote Procedure Call Execution Environment
Windows Telephony Server
Windows Upgrade Assistant
Windows User Profile Service
Windows Work Folders Service
YARP Reverse Proxy
Count by impact
Elevation of Privilege (EoP) vulnerabilities accounted for 39.3% of vulnerabilities patched this month, followed by Remote Code Execution (RCE) vulnerabilities at 39.3%.
CVE-2022-24521 and CVE-2022-24481 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities
CVE-2022-24521 is an EoP vulnerability in the Windows Common Log File System (CLFS) driver for Microsoft Windows. EoP vulnerabilities like these are exploited post-authentication after an attacker has successfully gained access to a vulnerable system to gain elevated privileges. According to Microsoft, this vulnerability was exploited as a zero-day vulnerability, although we don’t have further details on how it was exploited. However, we do know that the vulnerability was reported to Microsoft by the National Security Agency along with CrowdStrike researchers. Organizations should ensure that they apply available patches as soon as possible. CVE-2022-24481 is another CLFS driver EoP that received the same CVSSv3 score of 7.8 and was rated “Exploitation more likely” by Microsoft’s Exploitability Index. However, it is not zero day.
CVE-2022-26904 | Windows User Profile Service Elevation of Privilege Vulnerability
CVE-2022-26904 is an EoP vulnerability in Windows User Profile Service. She received a CVSSv3 score of 7.0, which classifies her severity as significant. The attack complexity for this vulnerability is rated high because it “forces an attacker to win a race condition.” Despite its greater complexity, it is still classified as “Exploitation more likely”. This is the second of two zero days this month, as details of this vulnerability were made public before a fix was available.
CVE-2022-24491 | Windows Network File System Vulnerability (Remote Code Execution)
CVE-2022-24491 is a critical Windows Network File System (NFS) RCE vulnerability that has been assigned a CVSSv3 score of 9.8 and a more likely exploit rating. A remote, unauthenticated attacker could exploit this vulnerability by sending specially crafted NFS protocol network messages to a vulnerable system. Only systems with the NFS role enabled are vulnerable to exploiting the vulnerability; However, organizations should still apply the patch to all systems to ensure that they are protected.
CVE-2022-26809 | Remote Code Execution Vulnerability When Executing a Remote Procedure Call
CVE-2022-26809 is a critical RCE vulnerability in the Remote Procedure Call (RPC) runtime. She received a CVSSv3 score of 9.8. A remote, unauthenticated attacker could exploit this vulnerability by sending “a specially crafted RPC call to an RPC host”. However, if a fix is not possible, Microsoft recommends blocking TCP port 445 on the perimeter firewall to thwart attempts to exploit this vulnerability. Despite these mitigations, systems “may still be vulnerable to attack from the corporate environment.”
CVE-2022-26817 and CVE-2022-26814 | Windows DNS Server Remote Code Execution Vulnerabilities
CVE-2022-26817 and CVE-2022-26814 are RCE vulnerabilities in Windows DNS Server affecting Active Directory Domain Services, both of which received a CVSSv3 score of 6.6 and were discovered by Yuki Chen using by Cyber KunLun. Exploitation of this vulnerability is rated as “less likely”, which could be related to the greater complexity of the attack and the required authorizations. To successfully exploit this vulnerability, an attacker on the target network who has permission to query the domain name service must win a race condition. Only if he perfectly exploits this vulnerability in time can he reach RCE. Fixes have been released for supported versions for Windows Server and Windows Server Core installations.
15 Windows Print Spooler Elevation of Privilege Vulnerabilities
This month, Microsoft patched 15 EoP vulnerabilities in print spooler components, all of which received a CVSSv3 score of 7.8. Three of the vulnerabilities were discovered by George Hughey of the Microsoft Security Response Center Vulnerabilities and Mitigation, and the other 12 were discovered by Microsoft Offensive Research and Security Engineering. Although Microsoft categorizes these vulnerabilities as “less likely to be exploited”, attackers have exploited EoP vulnerabilities in Print Spooler in the past.
End of support imminent
In the coming weeks, the .NET Framework and Windows 10 releases will no longer receive updates or support. On April 26, support for .NET Framework 4.5.2, 4.6, or 4.6.1 will end because they use the less secure Secure Hash Algorithm 1 (SHA-1). On May 10, version 20H2 of Windows 10 will reach end of support. Users are advised to update to the most recent versions to ensure they continue to receive important security updates.
Users can create analytics specifically focused on our Patch Tuesday plugins. In a new advanced analysis on the Plugins tab, set an advanced filter for the name of the plugin containing April 2022.
With this set of filters, click on the plugin families on the left and activate each plugin that appears on the right. Note: If the families on the left say “Enabled”, all plug-ins in that family are enabled. Disable the whole family before selecting each plugin for this analysis. Here is an example from Tenable.io:
A list of all plugins released for Tenable’s April 2022 Patch Tuesday Update can be found here. As always, we recommend that you patch systems as soon as possible and regularly scan your environment to identify systems that still need to be patched.