Claire Tills, Senior Research Engineer at Tenable, comments on Microsoft’s traditional Patch Tuesday and its security implications in a guest post.

This month’s Patch Tuesday release includes fixes for 117 CVEs – nine classified as critical and two zero-days, one of which has already been exploited and reported to Microsoft by the National Security Agency.

Microsoft has patched CVE-2022-24521, an elevation of privilege vulnerability in the Windows Common Log File System driver that received a CVSSv3 score of 7.8 and was exploited as a zero-day. While there is no further information about the exploitation of CVE-2022-24521, we know that CrowdStrike and the NSA are involved in discovering this vulnerability.

In addition, Microsoft has closed vulnerability CVE-2022-26904, an elevation of privilege vulnerability in the User Profile Service. Although exploiting this vulnerability requires an attacker to time their attack to win a race condition ideally, Microsoft has classified it as “Exploitation More Likely.”

Also of note is that versions 4.5.2, 4.6, and 4.6.1 of Microsoft’s .NET Framework and Windows 10 version 20H2 will soon reach the end of support. Users are strongly advised to update their systems to ensure they continue to receive updates.

Microsoft fixed 117 CVEs in its April 2022 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild and reported to Microsoft by the National Security Agency.

This month’s update includes patches for:

.NET Framework

Active Directory Domain Services

Azure SDK

Azure site recovery

LDAP – Lightweight directory access protocol

Microsoft Bluetooth driver

Microsoft Dynamics

Microsoft Edge (Chromium-based)

Microsoft graphics component

Microsoft Local Security Authority Server

Microsoft Office Excel

Microsoft OfficeSharePoint _

Microsoft Windows ALPC

Microsoft Windows Codecs Library

Microsoft Windows Media Foundation

power BI

Role: DNS server

Role: Windows Hyper-V

Skype for business


Visual Studio Code

Windows add-in driver for WinSock

Windows App Store

Windows AppX package manager

Windows cluster client failover

Windows Cluster Shared Volume (CSV)

Windows Common Log File System driver

Windows defender

Windows DWM core library

Windows endpoint configuration manager

Create Windows Fax form

Windows Feedback Hub

Windows file explorer

Windows file server

Windows installer

Windows iSCSI target service

Windows Kerberos

Windows kernel

Windows Local Security Authority Subsystem Service

Windows media

Windows network file system

Windows PowerShell

Windows print spooler components

Windows RDP

Windows Remote Procedure Call runtime environment

Windows Schannel

Windows SMB

Windows telephony server

Windows Upgrade Assistant

Windows User Profile Service


Windows Work Folders Service

YARP reverse proxy

Count by Impact

Elevation of Privilege (EoP) related vulnerabilities accounted for 39.3% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) related vulnerabilities at 39.3%.


CVE-2022-24521 and CVE-2022-24481 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

CVE-2022-24521 is an EoP vulnerability in the Windows Common Log File System (CLFS) driver for Microsoft Windows. EoP vulnerabilities are exploited post-authentication after an attacker has successfully accessed a vulnerable system to gain elevated privileges. According to Microsoft, this vulnerability was used as a zero-day vulnerability, although we have no further details about its exploitation. However, we know that the vulnerability was reported to Microsoft by the National Security Agency and researchers from CrowdStrike. Enterprises should ensure that they apply the available patches as soon as possible. CVE-2022-24481 is another EoP in the CLFS driver with the same CVSSv3 rating of 7, 8 and rated “Exploitation More Likely” according to Microsoft’s Exploitability Index. However, it is not a zero-day.


CVE-2022-26904 | Windows User Profile Service Elevation of Privilege Vulnerability

CVE-2022-26904 is an EoP vulnerability in the Windows User Profile service. She received a CVSSv3 score of 7.0, which ranks her severity as necessary. The attack complexity for this vulnerability is rated high because it “forces an attacker to win a race condition.” Despite the higher complexity, it is still classified as “Exploitation More Likely.” This is the second of two zero-days this month, as details about this vulnerability became public before a patch was made available.


CVE-2022-24491 | Windows Network File System Vulnerability (Remote Code Execution)

CVE-2022-24491 is a Windows Network File System (NFS) RCE Critical vulnerability that received a CVSSv3 score of 9.8 and an Exploitation More Likely rating. An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted NFS protocol network messages to a vulnerable system. Only systems with the NFS role enabled are vulnerable to exploitation of the exposure; however, organizations should still apply the Patch to all systems to ensure they are protected.


CVE-2022-26809 | Remote procedure call runtime remote code execution vulnerability

CVE-2022-26809 is a critical RCE vulnerability in the Remote Procedure Call (RPC) runtime”. However, if a patch is not possible, Microsoft recommends blocking TCP port 445 on the perimeter firewall to thwart attempts to exploit this vulnerability. Despite these mitigations, systems “can still be vulnerable to attacks from the enterprise environment.”


CVE-2022-26817 and CVE-2022-26814 | Windows DNS Server remote code execution vulnerabilities

CVE-2022-26817 and CVE-2022-26814 are RCE vulnerabilities in Windows DNS Server affecting Active Directory Domain Services, both of which received a CVSSv3 score of 6.6 and were discovered by Yuki Chen using Cyber ​​KunLun. The exploitation of this vulnerability is classified as “less likely,” which could be related to the higher attack complexity and the required permissions. To successfully exploit this vulnerability, an attacker on the target network who has permission to query the domain name service must win a race condition. Only if he exploits this vulnerability perfectly in time can he achieve RCE. Patches have been released for supported versions for Windows Server and Windows Server Core installations.


15 Windows Print Spooler Elevation of Privilege Vulnerabilities

This month Microsoft patched 15 EoP vulnerabilities in Print Spooler components, all of which received a CVSSv3 score of 7.8. Three of the vulnerabilities were discovered by George Hughey of the Microsoft Security Response Center Vulnerabilities and Mitigations, and the other 12 were found by Microsoft Offensive Research and Security Engineering. Although Microsoft classifies these vulnerabilities as “exploitation less likely,” attackers have already exploited EoP vulnerabilities in Print Spooler in the past.
















The impending end of support

In the coming weeks, versions of the .NET Framework and Windows 10 will no longer receive updates or support. On April 26, .NET Framework 4.5.2, 4.6, or 4.6.1 will end support because they use the less secure Secure Hash Algorithm 1 (SHA-1). On May 10, Windows 10 version 20H2 will reach the end of support. Users are urged to update to newer versions to ensure they continue to receive essential security updates.

Tenable Solutions

Users can create scans specifically focused on our Patch Tuesday plugins. A new advanced scan on the Plugins tab sets an advanced filter for the plugin name containing April 2022.

With this filter set, click on the plugin families on the left and enable each plugin that appears on the right. Note: If the families on the left say “Enabled,” then all the plugins in that family are enabled. Disable the entire family before selecting each plugin for this scan.

A list of all plugins released for Tenable’s April 2022 Patch Tuesday Update can be found here. We recommend patching systems as soon as possible and regularly scanning your environment to identify strategies that still need to be repai


Previous article


Next article


Leave a reply

Your email address will not be published. Required fields are marked *


You may also like