Patch Tuesday update fixes several vulnerabilities
Exploits and vulnerabilities | News

April’s Patch Tuesday update includes fixes for two zero-day vulnerabilities

Posted: April 13, 2022 by Pieter Arntz

It’s that time of the month again. Time to check what needs to be updated and prioritize where necessary. The Microsoft updates include at least two zero-day vulnerabilities that deserve your attention.

Microsoft

Microsoft has released security updates and non-security updates for client and server versions of its Windows operating system and other company products, including Microsoft Office and Edge.

For those that have extended support for Windows 7, there are four critical remote code execution (RCE) vulnerabilities to worry about:

  • CVE-2022-24500CVSS8.8 out of 10, a Windows SMB Remote Code Execution vulnerability
  • CVE-2022-24541CVSS 8.8, a Windows Server Service Remote Code Execution vulnerability
  • CVE-2022-26809CVSS 9.8, a Remote Procedure Call Runtime Remote Code Execution vulnerability
  • CVE-2022-26919CVSS 8.1, a Windows LDAP Remote Code Execution vulnerability

CVE-2022-26809 does have a CVSS of 9.8 for good reason. It affects almost every Windows OS and Microsoft has it listed as more likely to be exploited. To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service. TCP port 445 is used to initiate a connection with the affected component. And some quick Shodan scans showed that millions of systems have that port open.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The zero-day vulnerabilities fixed in this update cycle are:

  • CVE-2022-26904CVSS 7.0, a Windows User Profile Service Elevation of Privilege (EoP) vulnerability. This one is marked with a high attack complexity, because successful exploitation of this vulnerability requires an attacker to win a race condition. But the vulnerability is public knowledge and there is an existing Metasploit module for it. Metasploit is an open-source penetrating framework used by security engineers as a penetration testing system and a development platform that allows to create security tools and exploits.
  • CVE-2022-24521CVSS 7.8, a Windows Common Log File System Driver Elevation of Privilege vulnerability. This vulnerability has been used in the wild. Microsoft says that attack complexity is low. The vulnerability was reported to Microsoft by the National Security Agency (NSA) and Crowdstrike.

Other notable CVEs:

  • CVE-2022-24491CVSS 9.8, a Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS roleenabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.
  • CVE-2022-24997CVSS 9.8, another Windows Network File System Remote Code Execution vulnerability. This vulnerability is only exploitable for systems that have the NFS role enabled. An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution.

On these systems with the NFS role enabled, a remote attacker could execute their code with high privileges and without user interaction. This worries experts as these may turn out to be wormable bugs between NFS servers. For a temporary solution, more information on installing or uninstalling Roles or Role Services is available here.

A vulnerability is considered to be wormable if an attack can be launched that requires no human interaction to spread. The impact can be considerable if the number of vulnerable machine is high enough. In these cases web application firewalls (WAFs) would help to mitigate the risk.

In related news, Microsoft announcedthe release of Windows Autopatch, which is set for July 2022. This will hopefully lessen some of the burdens that come with patch management.

Edge and Chrome

The Microsoft updates included 26 Microsoft Edge vulnerabilities and Google released a stable channel update for Windows, Mac, and Linux that includes 11 security fixes. Eight out of those 11 were rated with a High severity, none were marked as Critical.

Other updates

While you’re at it, we also saw updates from vendors like:

Stay safe, everyone!

RELATED ARTICLES

week in security
News

A week in security (April 8 – April 14)

April 15, 2024 - A list of topics we covered in the week of April 8 to April 14 of 2024

CONTINUE READING 0 Comments
change social security number
News

How to change your Social Security Number

April 12, 2024 - Wondering whether changing your SSN is an option. Read here what you need to qualify for a new SSN and what you need to get one.

CONTINUE READING 0 Comments
mercenary spyware alert
News | Privacy

Apple warns people of mercenary attacks via threat notification system

April 11, 2024 - Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

CONTINUE READING 0 Comments
A 13-year-old girl is using her smartphone in the dark room. The content she is browsing projects in front of her.
Cybercrime | Personal

How to protect yourself from online harassment

April 10, 2024 - Don't wait for an online harassment campaign to unfairly target you or a loved one. Take these proactive steps today to stay safe.

CONTINUE READING 0 Comments
Introducing the Digital Footprint Portal
Cybercrime

Introducing the Digital Footprint Portal

April 10, 2024 - Find out what sensitive data of yours is exposed online today with our new, free Digital Footprint Portal.

CONTINUE READING 0 Comments

ABOUT THE AUTHOR

Pieter Arntz

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Contributors icon

Contributors

Threat Center icon

Threat Center

Podcasts icon

Podcast

Glossary icon

Glossary

Scams icon

Scams