Patch Tuesday May 2022: 74 vulnerabilities corrected including 1 exploited

Microsoft’s latest patch solution closes 74 vulnerabilities including 7 at critical level. Classified as important and with a CVSS score of 8.1, the Windows LSA Spoofing flaw CVE-2022-26925 is an emergency fix.

Companies must ensure that they update their IT systems to limit the risk of compromise. Especially those running on Windows systems, applications and services as Microsoft’s latest patch on Tuesday clearly shows. The latest salvo of patches indeed corrects 74 flaws, including seven critical and one being exploited. Identified as CVE-2022-26925 and with a CVSS score of 8.1, the latter – classified as important – provides the ability for an unauthenticated user to force a domain controller to authenticate with another server at using the NTLM authentication protocol, used in various Windows network services.

Note that the security update offered by Microsoft detects anonymous connection attempts to the Local Security Authority Remote Procedure Call (LSARPC) interface – used in Microsoft/Windows environments to perform management tasks on security policies domain from a remote machine – and banned them. The attack vector is man-in-the-middle, requiring the attacker to inject malicious code into the logical network path between the target and the resource requested by the victim in order to read or modify communications network.

Avoid reliving a PetitPotam attack scenario

In addition to this fix, Microsoft strongly recommends referring to advisories KB5005413 and ADV210003 to assess additional measures to be put in place to prevent NTLM relay attacks, as was the case for example a few months ago with PetitPotam. “Also note that this hotfix affects some backup functionality on Server 2008 SP2. If you use this operating system, read this one carefully to ensure that your backups can still be used for recovery,” security researchers from the Zero Day Initiative (ZDI) also warned.

Unused but critical and made public, the CVE-2022-29972 (critical) flaw affecting the Magnitude Simba Amazon Redshift ODBC driver used in Azure Synapse Pipelines and Azure Data Factory integration runtimes, must also be taken very seriously . It can effectively help a cyber-hacker to perform erroneous commands remotely in these environments. Other updates to be made of equally critical flaws: the one presenting a risk of elevation of services in Active Directory domain services (CVE-2022-26923) or the CVE-2022-26937 of a ceiling CVSS score (9.8 ) that could be used on the network by making an unauthenticated call and targeting a Network File System (NFS) service to enable remote malicious code execution. “NFS is not enabled by default, but is typically used in environments where Windows systems are mixed with other operating systems such as Linux or Unix. If this matches your environment, you should definitely test and fix this fix soon. Microsoft notes that NFSv4.1 is not exploitable, so upgrade from NFSv2 or NFSv3 if possible,” the ZDI researchers also warn.

Leave a Comment