Microsoft has released patches to correct 75 flaws in its products on May 2022 Patch Tuesday, including 3 zero-days, one of which is being actively exploited in MitM attacks.
The actively exploited zero-day is tracked as CVE-2022-26925 and is a Windows LSA spoofing vulnerability, which allows attackers to authenticate to domain controllers. According to Microsoft, “An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM.” Before the vulnerability can be exploited, attackers must inject themselves into the logical network path between the target and the resource requested by the victim, otherwise, they would not be able to read or modify network communications.
Because of the complexity of the attack, the flaw is only assigned a CVSS severity score of 8.1 out of 10 and is rated important; however, it should be noted that the flaw can be chained with other NTLM Relay attacks, which would make the flaw critical, PetitPoam being one example. Microsoft has previously published guidance on how to prevent NTLM Relay attacks. (see here)
The other two zero-days are not believed to have been exploited in the wild; however, PoC exploits for the flaws are in the public domain. One is a Windows remote code execution that affects Azure Synapse and Azure Data Factory, tracked as CVE-2022-29972 (No CVSS Score assigned), and the other is a Hyper-V denial-of-service vulnerability, tracked as CVE-2022-22713 (CVSS 5.6).
There are 8 critical vulnerabilities in this month’s round of patches:
- Azure SHIR – ADV220001 (in response to CVE-2022-29972) – Remote Code Execution
- Remote Desktop Client – CVE-2022-22017 – Remote Code Execution
- Self-hosted Integration Runtime – CVE-2022-29972 – Remote Code Execution
- Windows Active Directory – CVE-2022-26923 – Elevation of Privilege
- Windows Kerberos – CVE-2022-26931 – Elevation of Privilege
- Windows Network File System – CVE-2022-26937 – Remote Code Execution
- Windows Point-to-Point Tunneling Protocol – CVE-2022-23270 – Remote Code Execution
- Windows Point-to-Point Tunneling Protocol – CVE-2022-21972 – Remote Code Execution
This month’s patches include several Windows Print Spooler vulnerabilities. While these flaws have only been rated important, Windows Print Spooler flaws are often targeted and exploitation is “more likely”. They include two elevation of privilege flaws – CVE-2022029104 and CVE-2022-29132 – and two information disclosure flaws – CVE-2022-29114 and CVE-2022-29140.
As always, prompt patching is strongly recommended.
Adobe Addresses 18 Vulnerabilities on May 2022 Patch Tuesday
Adobe has released patches to fix 18 vulnerabilities in 5 products: Adobe CloudFusion, Adobe InCopy, Adobe Framemaker, Adobe InDesign, and Adobe Character Animator.
10 of the vulnerabilities affect Adobe Framemaker, 9 of which are rated critical and can lead to code execution. Three critical code execution flaws have been fixed in each of Adobe CloudFusion and Adobe InCopy, a single critical code execution flaw has been fixed in Character Animator, and one important cross-site scripting flaw has been corrected in Adobe ColdFusion.