Microsoft has released security fixes for several vulnerabilities including patches for zero-day vulnerabilities in its April 2022 Patch Tuesday.
Microsoft addresses 145 vulnerabilities in their April 2022 Patch Tuesday release. Out of these 145 vulnerabilities, 10 are rated as critical. The release also includes fixes for two zero-day vulnerabilities out of which one is known to be actively exploited.
Microsoft has patched several flaws in their software including Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, and Spoofing vulnerabilities.
This month’s advisory covers multiple Microsoft products, including, but not limited to, Azure, Browser (Edge – Chromium), Developer Tools, Extended Security Update (ESU), Microsoft Dynamics, Microsoft Office, SQL Server, System Center, and Windows.
The vulnerabilities are classified as:
- Spoofing Vulnerability: 3
- Denial of Service Vulnerability: 9
- Elevation of Privilege Vulnerability: 47
- Edge-based Chromium vulnerability: 26
- Information Disclosure Vulnerability: 13
- Remote Code Execution Vulnerability: 47
Two zero-day vulnerabilities fixed in April 2022 Patch Tuesday
CVE-2022-26904 – Windows User Profile Service Elevation of Privilege Vulnerability
This vulnerability affects the Windows User Profile Service and is a known zero-day issue. The issue has a CVSS severity level of 7.0, and its attack complexity is rated as ‘high,’ according to Microsoft, because “the successful exploitation of this vulnerability requires an attacker to win a race condition.”
CVE-2022-24521 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
Another elevation of privilege issue has been discovered in the Windows Common Log File System Driver. Despite the vulnerability not being made public until now, Microsoft claims that the attack complexity is modest, and that active exploitation has been discovered.
Some of the important Microsoft vulnerabilities patched this month:
CVE-2022-23259 – Microsoft Dynamics 365 (on-premises) Remote Code Execution (RCE) Vulnerability
An authenticated user could run a specially crafted trusted solution package to execute arbitrary SQL commands. From there the attacker could escalate and execute commands as db_owner within their Dynamics 356 database.
CVE-2022-24491 and CVE-2022-24497 – Windows Network File System Remote Code Execution (RCE) Vulnerability
An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. NOTE: This vulnerability is only exploitable for systems that have the NFS role enabled.
CVE-2022-24500 – Windows SMB Remote Code Execution (RCE) Vulnerability
This vulnerability requires that a user with an affected version of Windows access a malicious server. For vulnerability to be exploited, a user would need to access a malicious SMB server to retrieve some data as part of an OS API call. Microsoft offers mitigations for this vulnerability; Block TCP port 445 at the enterprise perimeter firewall and follow Microsoft guidelines to secure SMB traffic.
CVE-2022-24541 – Windows Server Service Remote Code Execution (RCE) Vulnerability
This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have no way to force users to visit this specially crafted server share or website but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Microsoft offers mitigations for this vulnerability; Block TCP port 445 at the enterprise perimeter firewall and follow Microsoft guidelines to secure SMB traffic.
CVE-2022-26809 – Remote Procedure Call (RPC) Runtime Remote Code Execution (RCE) Vulnerability
To exploit this vulnerability, an attacker would need to send a specially crafted Remote Procedure Call (RPC) to an RPC host. This could result in remote code execution (RCE) on the server side with the same permissions as the RPC service. Microsoft offers mitigations for this vulnerability; Block TCP port 445 at the enterprise perimeter firewall and follow Microsoft guidelines to secure SMB traffic.
Visit the April 2022 Security Updates page to access the full description of each vulnerability and the systems that it affects.
Customers can scan their network with QIDs 91879, 91880, 91881, 91882, 91883, 91884, 91885, 91886, 91889, 91890, 110404, 110405, 110406, 376535 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References:
https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/
https://www.zdnet.com/article/microsoft-april-2022-patch-tuesday-two-zero-day-vulnerabilities-tackled/
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2022-patch-tuesday-fixes-119-flaws-2-zero-days/