Home / About / Threat Intelligence / Wormable vulnerabilities included in April Patch Tuesday

Overview

Microsoft has released patches to address 145 vulnerabilities including 10 remote code execution (RCE) vulnerabilities rated “critical”. Out of these, the most concerning are the one in RPC (CVE-2022-26809) and two bugs in NFS (CVE-2022-24491 and CVE-2022-24497). These are considered low complexity to exploit and require no user interaction to gain high privilege access, meaning a self-propagating (worm) exploit may be possible.

Other critical RCE vulnerabilities affect Microsoft Dynamics 365 (CVE-2022-23259), Hyper-V (CVE-2022-22008, CVE-2022-24537, CVE-2022-23257), LDAP (CVE-2022-26919), and SMB (CVE-2022-24500 and CVE-2022-24541).

Fixes for two zero-days (publicly disclosed or actively exploited without a fix) are also included. These are both privilege escalation vulnerabilities (CVE-2022-26904 and CVE-2022-24521) in Windows rated “important”. One was reported to be under active exploitation by the National Security Agency (NSA).

Impact

An unauthenticated remote attacker could execute code with high privileges on a machine by sending a specially crafted Remote Procedure Call (RPC) request.

Affected Products

  • Active Directory Domain Services
  • Azure SDK
  • LDAP – Lightweight Directory Access Protocol
  • Microsoft Bluetooth Driver
  • Microsoft Dynamics
  • Microsoft Graphics Component
  • Microsoft Local Security Authority Server (lsasrv)
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Windows ALPC
  • Microsoft Windows Codecs Library
  • Microsoft Windows Media Foundation
  • Power BI
  • Role: DNS Server
  • Role: Windows Hyper-V
  • Skype for Business
  • Visual Studio Code
  • Windows Ancillary Function Driver for WinSock
  • Windows App Store
  • Windows AppX Package Manager
  • Windows Cluster Client Failover
  • Windows Cluster Shared Volume (CSV)
  • Windows Common Log File System Driver
  • Windows DWM Core Library
  • Windows Endpoint Configuration Manager
  • Windows Fax Compose Form
  • Windows Feedback Hub
  • Windows File Explorer
  • Windows File Server
  • Windows Installer
  • Windows iSCSI Target Service
  • Windows Kerberos
  • Windows Kernel
  • Windows Local Security Authority Subsystem Service
  • Windows Media
  • Windows Network File System
  • Windows PowerShell
  • Windows Print Spooler Components
  • Windows RDP
  • Windows Remote Procedure Call Runtime
  • Windows Schannel
  • Windows SMB
  • Windows Telephony Server
  • Windows Upgrade Assistant
  • Windows User Profile Service
  • Windows Win32K
  • Windows Work Folder Service
  • YARP reverse proxy

Containment, Mitigations & Remediations

Update installation: Microsoft has released several security updates for vulnerabilities. Our recommendation is to install these updates immediately to protect your environment.

Indicators of Compromise

None published at this time.

Threat Landscape

An RCE exploitable over the internet would be very appealing to ransomware operators.

Mitre Methodologies

T1190 – Exploit Public-Facing Application
T1068 – Exploitation for Privilege Escalation
T1210 – Exploitation of Remote Services

Further Information

Windows Common Log File System Driver Elevation of Privilege Vulnerability
Windows User Profile Service Elevation of Privilege Vulnerability