How can we help?
Microsoft has released fixes for 74 vulnerabilities in their latest patch cycle. Seven of these are rated critical, including a Windows LSA Spoofing Vulnerability (CVE-2022–26925) which is being exploited in the wild. This bug could be chained with an NTLM relay attack for further impact. This appears to be a reintroduction of the PetitPotam bug from last year.
CVE-2022-26937 is a remote code execution (RCE) vulnerability in the Windows Network File System (NFS) that targets mixed OS environments.
CVE-2022-29972 is a vulnerability that affects Azure Data Factory and Azure Synapse Pipelines. It’s been patched in the cloud but on-premise users should update. The researchers who discovered the flaw have published a write-up (calling it SynLapse) and we’ve written our own analysis.
- CVE-2022–26923 – An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.
- CVE-2022–26925 – An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM.
- CVE-2022-26937 – An unauthenticated network attacker could make a call to a Network File System (NFS) service to trigger an RCE.
- CVE-2022-29972 – A malicious Azure synapse user could access user credentials and run code on other customers’ machines.
- .NET and Visual Studio
- .NET Framework
- Azure SHIR
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Local Security Authority Server (lsasrv)
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Windows ALPC
- Remote Desktop Client
- Role: Windows Fax Service
- Role: Windows Hyper-V
- Self-hosted Integration Runtime
- Tablet Windows User Interface
- Visual Studio
- Visual Studio Code
- Windows Active Directory
- Windows Address Book
- Windows Authentication Methods
- Windows BitLocker
- Windows Cluster Shared Volume (CSV)
- Windows Failover Cluster Automation Server
- Windows Kerberos
- Windows Kernel
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Media
- Windows Network File System
- Windows NTFS
- Windows Point-to-Point Tunnelling Protocol
- Windows Print Spooler Components
- Windows Push Notifications
- Windows Remote Access Connection Manager
- Windows Remote Desktop
- Windows Remote Procedure Call Runtime
- Windows Server Service
- Windows Storage Spaces Controller
- Windows WLAN Auto Config Service
Containment, Mitigations & Remediations
Microsoft strongly recommends installing security updates as soon as possible. They’ve pointed administrators to their previous advice for Mitigating NTLM Relay Attacks, however these are not enough to block all forms of attack. The SynLapse advisory includes the assessment that further architectural improvements are required from Microsoft for tenancy separation. Microsoft acknowledges this while fixing the CVE and have committed to stronger user isolation. NFS exploits such as https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26937 can be mitigated by disabling NFSV2 and NFSV3, but these may still be required for legacy compatibility.
Indicators of Compromise
Three of these vulnerabilities are classified as zero-days, meaning it was publicly disclosed or exploited before fixes were available. The first is the reintroduction of PetitPotam. Threat actors will get good use out of this as tooling for this attack is already mature. The second is SynLapse. It’s been fixed with no sign of exploitation and has prompted Microsoft to take further measures to protect their infrastructure. And the third (CVE-2022-22713) is a Denial of Service vulnerability in Hyper-V. Although it has been disclosed publicly, exploitation is listed as “less likely”.
- T1190 – Exploit Public-Facing Application
- T1210 – Exploitation of Remote Services
- T1499.004 – Application or System Exploitation
- T1548 – Abuse Elevation Control Mechanism