Actively used Windows zero-day threatens domain controllers


Microsoft has closed 74 vulnerabilities with its May 2022 Patchday Update, including a zero-day bug classified as Important that is actively being exploited in the wild and several that are likely to be widespread in enterprises.

Also patched are seven critical bugs, 65 other bugs classified as important, and one low-severity issue. The fixes cover the breadth of the computer giant’s portfolio, including: Windows and Windows components, .NET and Visual Studio, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Office and Office components, Windows Hyper-V, Windows Authentication methods, BitLocker, Windows Cluster Shared Volume (CSV), Remote Desktop Client, Windows Network File System, NTFS and Windows Point-to-Point Tunneling Protocol.

3 zero days, 1 actively used
The actively exploited flaw (CVE-2022-26925) is a Windows LSA spoofing vulnerability, rated 8.1 out of 10 on the CVSS severity scale – however, Microsoft notes in its recommendation that it is critical ( CVSS 9.8 ) when used in Windows NT LAN Manager (NTLM) relay attacks.

“[A]An unauthenticated attacker could invoke a method on the LSARPC interface and force the domain controller to authenticate to the attacker via NTLM,” Microsoft warns in its advisory — a worrying situation considering that domain controllers require high-level access bid for permissions.

NTLM is now obsolete and uses a weak authentication protocol that can easily leak credentials and session keys. In a relay attack, attackers can capture an authentication and forward it to another server – which they can then use to authenticate to the remote server with the privileges of the compromised user.

However, the flaw is more difficult to exploit than most, Trend Micro Zero Day Initiative (ZDI) researcher Dustin Childs explained in a blog Tuesday. “The threat actor would need to be in the logical network path between the target and the requested resource (e.g. man-in-the-middle), but since this is listed as being actively attacked, someone must have figured out how to make this happen .”

Tyler Reguly, Tripwire’s manager of security R&D, tells Dark Reading that the bug could be related to a previously known threat called PetitPotam, which emerged in July to allow attackers to force remote Windows systems to use easily cracked password divulge hashes.

“Based on the links provided by Microsoft, this appears to be related to the previous PetitPotam patch,” he notes, adding that researchers will speculate on this. “This is an excellent example of where detailed summaries explaining what is happening have been useful in the past. It would be great if Microsoft could make these available again on a regular basis,” he says.

Microsoft also patched two other zero-days, including a critical bug (CVE-2022-29972, CVSS unavailable) in Insight Software’s Magnitude Simba Amazon Redshift ODBC driver – “a third-party ODBC data connector used to connect to Amazon Redshift is used in integration runtime (IR) in Azure Synapse Pipelines and Azure Data Factory,” explains ZDI’s Childs.

He adds, “This update is complicated enough for Microsoft to blog about the bug and its impact on multiple Microsoft services.”

The last zero-day (CVE-2022-22713, CVSS 5.6) is a critical bug in Windows Hyper-V that could allow Denial of Service (DoS).

Leading Lights: Critical Microsoft security bugs that need patching now
As for other patches that admins should prioritize this month, some of the issues classified as critical are widespread across the enterprise infrastructure and could affect millions of organizations, researchers warn.

“The big news is the critical vulnerabilities that need to be highlighted for immediate action,” Chris Hass, security director at Automox, told Dark Reading. “This month there are vulnerabilities in a number of applications that are widely used in most organizations, including NSF, Remote Desktop Client and Active Directory.”

For example, the critical bug affecting the Windows Network File System or NFS (CVE-2022-26937, CVSS 9.8), according to Microsoft’s recommendation, could allow unauthenticated remote code execution (RCE) in the context of the highly privileged NFS service. What’s more, its ubiquity is Log4j-like: It’s “present in every Windows Server release since 2008,” says Hass, “putting most organizations at risk if not acted upon quickly.”

Additionally, “these types of vulnerabilities will potentially appeal to ransomware operators as they could lead to the disclosure of critical data, which is often part of a ransomware attempt,” Kevin Breen, director of cyber threat research at Immersive Labs, told Dark Reading .

Regarding who should prioritize the patch: “NFS is not enabled by default, but it is widespread in environments where Windows systems are mixed with other operating systems such as Linux or Unix. If this describes your environment, be sure to test it and deploy this patch quickly,” Childs warns.

As for other critical bugs to consider, Breen marks CVE-2022-22017 (CVSS 8.8), an RCE issue in the also ubiquitous Remote Desktop (RDP) client.

“With more teleworkers than ever before, businesses need to put everything RDP on the radar — especially given its popularity with ransomware actors and access brokers,” he warns.

The Active Directory bug (CVE-2022-26923, CVSS 8.8) is found in Domain Services and could allow elevation of privilege due to a certificate issuance issue. ZDI, which reported the bug, says that when Active Directory Certificate Services is running, an attacker can gain access to a certificate to authenticate to a DC with a high level of privilege, which allows any domain-authenticated user to become a domain administrator.

“This is a very common deployment,” says Childs. “Given the severity of this bug and the relative ease of exploitation, it wouldn’t surprise me to see active attacks using this technique sooner rather than later.”

Of less concern, Breen says, is a cluster of 10 RCE errors in LDAP (the most severe, CVE-2022-22012, has a CVSS score of 9.8). These “appear to be particularly threatening, but have been flagged by Microsoft as ‘less likely to be exploited’ because they require a default configuration that is unlikely to exist in most environments,” he notes. “Not to say these don’t need to be patched, just a reminder that context is important when prioritizing patches.”

The worst of the rest
A handful of other vulnerabilities that researchers also noticed are worth mentioning here, starting with Windows Print Spooler, which has long been an attractive bull’s-eye for cyber attackers.

“Several Windows print spooler vulnerabilities were patched this month, including two information disclosure bugs (CVE-2022-29114, CVE-2022-29140) and two elevation of privilege bugs (CVE-2022-29104, CVE-2022-29132). ‘ Satnam Narang, research engineer at Tenable, tells Dark Reading. “All vulnerabilities are rated as important, and two of the three are considered more likely to be exploited. Windows Print Spooler continues to be a valuable target for attackers since PrintNightmare was disclosed almost a year ago. Specifics should be carefully prioritized as we’ve seen ransomware groups like Conti favor them as part of their playbook.”

Breen also highlighted two other important bugs as priorities for patching:

  • CVE-2022-29108, a remotely executable bug in Sharepoint that could likely be exploited by an attacker attempting to move laterally through an organization. “Because exploits require authenticated access, an attacker could use it to steal sensitive information or inject documents with malicious code or macros that could be part of a broader attack chain,” Breen warns.
  • According to Breen, a flaw in Azure Data Factory (no CVE assigned) is remotely exploitable and can expose a company’s sensitive data.

Virsec CTO and co-founder Satya Gupta says it’s important for defenders overall to consider the broader context of Microsoft’s patching trends. In the last year in particular, more than a third of patches (1,330 or 36%) were for RCE issues.

“Obviously, this presents a tremendous opportunity for malicious actors to compromise almost every customer,” he says. “Overall, several of May’s vulnerabilities pose a threat to Log4j, especially considering what it would cost to patch millions of servers.”


Comments are closed.