Claire Tills, Senior Research Engineer at Tenable, comments on Microsoft’s traditional Patch Tuesday and its security implications in a guest post.
This month’s Patch Tuesday release includes fixes for 117 CVEs – nine classified as critical and two zero-days, one of which has already been exploited and reported to Microsoft by the National Security Agency.
Microsoft has patched CVE-2022-24521, an elevation of privilege vulnerability in the Windows Common Log File System driver that received a CVSSv3 score of 7.8 and was exploited as a zero-day. While there is no further information about the exploitation of CVE-2022-24521, we know that CrowdStrike and the NSA are involved in discovering this vulnerability.
In addition, Microsoft has closed vulnerability CVE-2022-26904, an elevation of privilege vulnerability in the User Profile Service. Although exploiting this vulnerability requires an attacker to time their attack to win a race condition ideally, Microsoft has classified it as “Exploitation More Likely.”
Also of note is that versions 4.5.2, 4.6, and 4.6.1 of Microsoft’s .NET Framework and Windows 10 version 20H2 will soon reach the end of support. Users are strongly advised to update their systems to ensure they continue to receive updates.
Microsoft fixed 117 CVEs in its April 2022 Patch Tuesday release, including two zero-day vulnerabilities, one of which was exploited in the wild and reported to Microsoft by the National Security Agency.
This month’s update includes patches for:
Active Directory Domain Services
Azure site recovery
LDAP – Lightweight directory access protocol
Microsoft Bluetooth driver
Microsoft Edge (Chromium-based)
Microsoft graphics component
Microsoft Local Security Authority Server
Microsoft Office Excel
Microsoft OfficeSharePoint _
Microsoft Windows ALPC
Microsoft Windows Codecs Library
Microsoft Windows Media Foundation
Role: DNS server
Role: Windows Hyper-V
Skype for business
Visual Studio Code
Windows add-in driver for WinSock
Windows App Store
Windows AppX package manager
Windows cluster client failover
Windows Cluster Shared Volume (CSV)
Windows Common Log File System driver
Windows DWM core library
Windows endpoint configuration manager
Create Windows Fax form
Windows Feedback Hub
Windows file explorer
Windows file server
Windows iSCSI target service
Windows Local Security Authority Subsystem Service
Windows network file system
Windows print spooler components
Windows Remote Procedure Call runtime environment
Windows telephony server
Windows Upgrade Assistant
Windows User Profile Service
Windows Work Folders Service
YARP reverse proxy
Count by Impact
Elevation of Privilege (EoP) related vulnerabilities accounted for 39.3% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) related vulnerabilities at 39.3%.
CVE-2022-24521 and CVE-2022-24481 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities
CVE-2022-24521 is an EoP vulnerability in the Windows Common Log File System (CLFS) driver for Microsoft Windows. EoP vulnerabilities are exploited post-authentication after an attacker has successfully accessed a vulnerable system to gain elevated privileges. According to Microsoft, this vulnerability was used as a zero-day vulnerability, although we have no further details about its exploitation. However, we know that the vulnerability was reported to Microsoft by the National Security Agency and researchers from CrowdStrike. Enterprises should ensure that they apply the available patches as soon as possible. CVE-2022-24481 is another EoP in the CLFS driver with the same CVSSv3 rating of 7, 8 and rated “Exploitation More Likely” according to Microsoft’s Exploitability Index. However, it is not a zero-day.
CVE-2022-26904 | Windows User Profile Service Elevation of Privilege Vulnerability
CVE-2022-26904 is an EoP vulnerability in the Windows User Profile service. She received a CVSSv3 score of 7.0, which ranks her severity as necessary. The attack complexity for this vulnerability is rated high because it “forces an attacker to win a race condition.” Despite the higher complexity, it is still classified as “Exploitation More Likely.” This is the second of two zero-days this month, as details about this vulnerability became public before a patch was made available.
CVE-2022-24491 | Windows Network File System Vulnerability (Remote Code Execution)
CVE-2022-24491 is a Windows Network File System (NFS) RCE Critical vulnerability that received a CVSSv3 score of 9.8 and an Exploitation More Likely rating. An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted NFS protocol network messages to a vulnerable system. Only systems with the NFS role enabled are vulnerable to exploitation of the exposure; however, organizations should still apply the Patch to all systems to ensure they are protected.
CVE-2022-26809 | Remote procedure call runtime remote code execution vulnerability
CVE-2022-26809 is a critical RCE vulnerability in the Remote Procedure Call (RPC) runtime”. However, if a patch is not possible, Microsoft recommends blocking TCP port 445 on the perimeter firewall to thwart attempts to exploit this vulnerability. Despite these mitigations, systems “can still be vulnerable to attacks from the enterprise environment.”
CVE-2022-26817 and CVE-2022-26814 | Windows DNS Server remote code execution vulnerabilities
CVE-2022-26817 and CVE-2022-26814 are RCE vulnerabilities in Windows DNS Server affecting Active Directory Domain Services, both of which received a CVSSv3 score of 6.6 and were discovered by Yuki Chen using Cyber KunLun. The exploitation of this vulnerability is classified as “less likely,” which could be related to the higher attack complexity and the required permissions. To successfully exploit this vulnerability, an attacker on the target network who has permission to query the domain name service must win a race condition. Only if he exploits this vulnerability perfectly in time can he achieve RCE. Patches have been released for supported versions for Windows Server and Windows Server Core installations.
15 Windows Print Spooler Elevation of Privilege Vulnerabilities
This month Microsoft patched 15 EoP vulnerabilities in Print Spooler components, all of which received a CVSSv3 score of 7.8. Three of the vulnerabilities were discovered by George Hughey of the Microsoft Security Response Center Vulnerabilities and Mitigations, and the other 12 were found by Microsoft Offensive Research and Security Engineering. Although Microsoft classifies these vulnerabilities as “exploitation less likely,” attackers have already exploited EoP vulnerabilities in Print Spooler in the past.
The impending end of support
In the coming weeks, versions of the .NET Framework and Windows 10 will no longer receive updates or support. On April 26, .NET Framework 4.5.2, 4.6, or 4.6.1 will end support because they use the less secure Secure Hash Algorithm 1 (SHA-1). On May 10, Windows 10 version 20H2 will reach the end of support. Users are urged to update to newer versions to ensure they continue to receive essential security updates.
Users can create scans specifically focused on our Patch Tuesday plugins. A new advanced scan on the Plugins tab sets an advanced filter for the plugin name containing April 2022.
With this filter set, click on the plugin families on the left and enable each plugin that appears on the right. Note: If the families on the left say “Enabled,” then all the plugins in that family are enabled. Disable the entire family before selecting each plugin for this scan.
A list of all plugins released for Tenable’s April 2022 Patch Tuesday Update can be found here. We recommend patching systems as soon as possible and regularly scanning your environment to identify strategies that still need to be repai