Get in Touch
Wormable vulnerabilities included in April Patch Tuesday
Overview
Microsoft has released patches to address 145 vulnerabilities including 10 remote code execution (RCE) vulnerabilities rated “critical”. Out of these, the most concerning are the one in RPC (CVE-2022-26809) and two bugs in NFS (CVE-2022-24491 and CVE-2022-24497). These are considered low complexity to exploit and require no user interaction to gain high privilege access, meaning a self-propagating (worm) exploit may be possible.
Other critical RCE vulnerabilities affect Microsoft Dynamics 365 (CVE-2022-23259), Hyper-V (CVE-2022-22008, CVE-2022-24537, CVE-2022-23257), LDAP (CVE-2022-26919), and SMB (CVE-2022-24500 and CVE-2022-24541).
Fixes for two zero-days (publicly disclosed or actively exploited without a fix) are also included. These are both privilege escalation vulnerabilities (CVE-2022-26904 and CVE-2022-24521) in Windows rated “important”. One was reported to be under active exploitation by the National Security Agency (NSA).
Impact
An unauthenticated remote attacker could execute code with high privileges on a machine by sending a specially crafted Remote Procedure Call (RPC) request.
Affected Products
- Active Directory Domain Services
- Azure SDK
- LDAP – Lightweight Directory Access Protocol
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Graphics Component
- Microsoft Local Security Authority Server (lsasrv)
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Windows ALPC
- Microsoft Windows Codecs Library
- Microsoft Windows Media Foundation
- Power BI
- Role: DNS Server
- Role: Windows Hyper-V
- Skype for Business
- Visual Studio Code
- Windows Ancillary Function Driver for WinSock
- Windows App Store
- Windows AppX Package Manager
- Windows Cluster Client Failover
- Windows Cluster Shared Volume (CSV)
- Windows Common Log File System Driver
- Windows DWM Core Library
- Windows Endpoint Configuration Manager
- Windows Fax Compose Form
- Windows Feedback Hub
- Windows File Explorer
- Windows File Server
- Windows Installer
- Windows iSCSI Target Service
- Windows Kerberos
- Windows Kernel
- Windows Local Security Authority Subsystem Service
- Windows Media
- Windows Network File System
- Windows PowerShell
- Windows Print Spooler Components
- Windows RDP
- Windows Remote Procedure Call Runtime
- Windows Schannel
- Windows SMB
- Windows Telephony Server
- Windows Upgrade Assistant
- Windows User Profile Service
- Windows Win32K
- Windows Work Folder Service
- YARP reverse proxy
Containment, Mitigations & Remediations
Update installation: Microsoft has released several security updates for vulnerabilities. Our recommendation is to install these updates immediately to protect your environment.
Indicators of Compromise
None published at this time.
Threat Landscape
An RCE exploitable over the internet would be very appealing to ransomware operators.
Mitre Methodologies
T1190 – Exploit Public-Facing Application
T1068 – Exploitation for Privilege Escalation
T1210 – Exploitation of Remote Services
Further Information
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Windows User Profile Service Elevation of Privilege Vulnerability