April 13, 2022
Patch Tuesday Advisory - April 2022
Matt Barrett
3 min read | Security Posture, Trending Topics, Vulnerability Management
Spring Showers Bring… 119 Vulnerabilities, 2 Zero Days
Spring is in the air and, for the month of April, so are the Patch Tuesday vulnerabilities. After a relatively slow March, we’re edging back up to normal territory with 119 CVEs and 2 zero-days…not anything epic, but also nothing to shake a stick at.
This month’s Patch Tuesday includes fixes for two zero-day vulnerabilities, one publicly disclosed and the other actively exploited in attacks.
One of these has been observed being exploited in the wild: CVE-2022-24521 affects the Common Log File System Driver in all supported versions of Windows which allows attackers to execute privilege escalation on any Windows asset already accessed.
Another local privilege escalation (LPE), CVE-2022-26904, affecting the Windows User Profile Service, has been publicly disclosed as dependent on race conditions. Though this issue is dangerous, it’s difficult to get to the point of exploitation due to the local access requirement.
Aside from these, 55 LPEs and 47 RCE’s comprise the rest of the CVEs for which patches are released this month. 10 of the RCEs are considered “Critical,” affecting:
- Windows Hyper-V (CVE-2022-22008, CVE-2022-23257, CVE-2022-24537);
- Windows SMB Client (CVE-2022-24500, CVE-2022-24541);
- Windows Network File System (CVE-2022-24491 and CVE-2022-24497);
- LDAP (CVE-2022-26919);
- Microsoft Dynamics (CVE-2022-23259); and the
- Windows RPC Runtime (CVE-2022-26809).
In addition, Skype for Business Server was patched for spoofing (CVE-2022-26910) and information disclosure (CVE-2022-26911) vulnerabilities.
Two RCEs affecting Excel (CVE-2022-24473 and CVE-2022-26901) were fixed, as well as an additional vulnerability in SharePoint Server (CVE-2022-24472).
As always, Balbix can identify all affected assets within 1 hour of release. There are no scans to run. Balbix customers simply search for the CVE name in their Balbix dashboard to view the list of affected assets. Users can also use the filtered search functionality to search for the CVE by site, subnet, location, or other distinguishing factors.
