Seven Critical Vulnerabilities, While Print Spooler Avoids FOMO
With May’s release, the number of threats for our Windows assets is down by a significant amount compared to last month. At first, that might seem like a time for everyone to breathe a sigh of relief. However, there is one major flaw that we need to pay attention to.
This month, CVE-2022-26925 is the most important concern by a country mile. This particular bug is a weakness in a central component of Windows security (the Local Security Authority Remote Procedure Call (LSARPC) protocol within Windows). It is vulnerable to what has been coined a “NTLM Relay Attack.” In this case it uses the LSARPC that was publicly disclosed prior to this release. Microsoft has proved that it is now actively being exploited in the wild. The affected operating systems range from Windows 7 through Windows 10 and Windows Server 2008 through Windows Server 2022.
For those looking for a bit more color on this vulnerability, it allows man-in-the-middle attacks to force domain controllers to authenticate to the bad actor using NTLM authentication. When used in conjunction with an NTLM relay attack this can potentially lead to remote code execution.
In addition to CVE-2022-26925, there are 6 other vulns that have been given the “Critical” severity label by Microsoft. One is CVE-2022-26937 (CVSS score 9.8). It affects services using the Windows Network File System (NFS), could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems.
A second is the critical bug CVE-2022-26923 allows attackers to exploit the issuance of certificates by inserting crafted data into a certificate request. This allows the attacker to obtain a certificate which is capable of privilege escalation, essentially allowing the individual with unauthorized authentication to become a domain admin within any domain running Active Directory Certificate Services, earning a CVSS score of 8.8.
The other four critical vulnerabilities for this month affect the Windows Point-to-Point Tunneling Protocol, Redshift ODBC Driver and Kerberos.
Not to be outdone with last month’s clean bill of health, Windows Print Spooler is back with a vengeance after missing a month, including four fixes (CVE-2022-29104, CVE-2022-29132, CVE-2022-29140, and CVE-2022-29114) including two information disclosure and two elevation of privilege flaws. Microsoft has marked these as “important”
Additional products impacted by May’s security update include the .NET and Visual Studio platforms; Office and its components; Exchange Server; BitLocker; Remote Desktop Client; NTFS; and Microsoft Edge.
As always, Balbix can identify all affected assets within 1 hour of release. There are no scans to run. Balbix customers simply search for the CVE name in their Balbix dashboard to view the list of affected assets. Users can also use the filtered search functionality to search for the CVE by site, subnet, location, or other distinguishing factors.