{"id":35715,"date":"2022-05-11T06:27:00","date_gmt":"2022-05-11T06:27:00","guid":{"rendered":"http:\/\/cloudnewshub.com\/archives\/35715"},"modified":"2022-05-11T06:27:00","modified_gmt":"2022-05-11T06:27:00","slug":"microsoft-fixes-three-zero-days-on-may-patch-tuesday","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=35715","title":{"rendered":"Microsoft fixes three zero-days on May Patch Tuesday"},"content":{"rendered":"<div><img decoding=\"async\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2022\/05\/microsoft-fixes-three-zero-days-on-may-patch-tuesday.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Three zero-days, including one that is being actively exploited and must be addressed immediately, are among more than 70 vulnerabilities fixed by Microsoft in its May 2022 <a href=\"https:\/\/msrc.microsoft.com\/update-guide\">Patch Tuesday drop<\/a>.<\/p>\n<p>Tracked as <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-26925\">CVE-2022-26925<\/a>, the exploited zero-day is a Windows Local Security Authority (LSA) spoofing vulnerability impacting Windows 7 to 10, and Windows Server 2008 to 2022.<\/p>\n<p>In an advisory, Microsoft said: \u201cAn unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it.\u201d<\/p>\n<p><a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2022\/5\/10\/the-may-2022-security-update-review\">Dustin Childs of the Zero Day Initiative<\/a> said that to exploit CVE-2022-26925, \u201cthe threat actor would need to be in the logical network path between the target and the resource requested, eg man-in-the-middle, but since this is listed as under active attack, someone must have figured out how to make that happen\u201d.<\/p>\n<p><a href=\"https:\/\/www.immersivelabs.com\/\">Immersive Labs<\/a> director of threat research, Kev Breen, added: \u201cWhile the advisory lists this as a CVSS of 7.1, the score jumps to a 9.8 when used as part of an NTLM attack. While all servers are affected, domain controllers should be a priority for protection as, once exploited, this provides high-level access to privileges, often known as \u2018the keys to the kingdom\u2019.\u201d<\/p>\n<p>Alongside CVE-2022-26925, the two other zero-days in the latest update are <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-22713\">CVE-2022-22713<\/a> in Windows Hyper-V, and <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-29972\">CVE-2022-29972<\/a> in the Magnitude Simba Amazon Redshift ODBC Drive. Neither is yet known to have been exploited.<\/p>\n<p>Greg Wiseman, lead product manager at <a href=\"https:\/\/www.rapid7.com\/\">Rapid7<\/a>, broke down these additional zero-days. \u201cCVE-2022-22713 is a denial-of-service vulnerability that affects Hyper-V servers running relatively recent versions of Windows (20H2 and later),\u201d he said.<\/p>\n<p>\u201cCVE-2022-29972 is a critical RCE [remote code execution vulnerability] that affects the Amazon Redshift ODBC driver used by Microsoft\u2019s Self-hosted Integration Runtime, a client agent that enables on-premise data sources to exchange data with cloud services such as Azure Data Factory and Azure Synapse Pipelines.\u201d<\/p>\n<p>Wiseman added: \u201cThis vulnerability also prompted Microsoft to publish their first guidance-based advisory of the year, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/ADV220001\">ADV220001<\/a>, indicating their plans to strengthen tenant isolation in their cloud services without actually providing any specific details or actions to be taken by customers.\u201d<\/p>\n<p>Meanwhile, Allan Liska of <a href=\"https:\/\/www.recordedfuture.com\/\">Recorded Future<\/a> assessed some of the other more noteworthy vulnerabilities acknowledged on the second-to-last Patch Tuesday ever, at least in its current form, ahead of <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/windows-it-pro-blog\/get-current-and-stay-current-with-windows-autopatch\/ba-p\/3271839\">the planned launch of Windows Autopatch<\/a>.<\/p>\n<p>\u201cCVE-2022-22012 and CVE-2022-29130 are both remote code execution vulnerabilities in Microsoft\u2019s LDAP service. These vulnerabilities have both been labelled Critical by Microsoft, with CVSS scores of 9.8,\u201d said Liska.<\/p>\n<p>\u201cThat being said, Microsoft <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-29130\">cautions in<\/a> its <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-22012\">bulletin for both<\/a> that: \u2018This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.\u2019 It does appear that having the MaxReceiveBuffer set to a higher value than the default is an uncommon configuration, but if your organisation does, this should be prioritised for patching.\u201d<\/p>\n<p>Liska continued: \u201cCVE-2022-26937 is a remote code execution vulnerability in the network file system [NFS]. This is a serious vulnerability that impacts Windows Server 2008 through 2022 and is labelled Critical by Microsoft with a CVSS score of 9.8. This vulnerability only affects NFSV2 and NFSV3, and Microsoft has included instructions for disabling these <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-26937\">versions of the NFS in the bulletin<\/a>. Microsoft labels the ease of exploitation of this vulnerability as \u2018Exploitation More Likely\u2019.<\/p>\n<p>\u201cAs with CVE-2021-36942, a similar vulnerability, CVE-2021-26432 was released in August 2021. Given the similarities between these vulnerabilities and those of August 2021, we could all be in store for a rough May.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Three zero-days, including one that is being actively exploited and must be addressed immediately, are among more than 70 vulnerabilities fixed by Microsoft in its May 2022 Patch Tuesday drop. Tracked as CVE-2022-26925, the exploited zero-day is a Windows Local Security Authority (LSA) spoofing vulnerability impacting Windows 7 to 10, and Windows Server 2008 to [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":35716,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-35715","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/35715","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=35715"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/35715\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/35716"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=35715"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=35715"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=35715"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}